An anonymous reader quotes a report from Wired: Security flaws in your computer's firmware, the deep-seated code that loads first when you turn the machine on and controls even how its operating system boots up, have long been a target for hackers looking for a stealthy foothold. But only rarely does that kind of vulnerability appear not in the firmware of any particular computer maker, but in the chips found across hundreds of millions of PCs and servers. Now security researchers have found one such flaw that has persisted in AMD processors for decades, and that would allow malware to burrow deep enough into a computer's memory that, in many cases, it may be easier to discard a machine than to disinfect it. At the Defcon hacker conference tomorrow, Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, plan to present a vulnerability in AMD chips they're calling Sinkclose. The flaw would allow hackers to run their own code in one of the most privileged modes of an AMD processor, known as System Management Mode, designed to be reserved only for a specific, protected portion of its firmware. IOActive's researchers warn that it affects virtually all AMD chips dating back to 2006, or possibly even earlier.

Nissim and Okupski note that exploiting the bug would require hackers to already have obtained relatively deep access to an AMD-based PC or server, but that the Sinkclose flaw would then allow them to plant their malicious code far deeper still. In fact, for any machine with one of the vulnerable AMD chips, the IOActive researchers warn that an attacker could infect the computer with malware known as a "bootkit" that evades antivirus tools and is potentially invisible to the operating system, while offering a hacker full access to tamper with the machine and surveil its activity. For systems with certain faulty configurations in how a computer maker implemented AMD's security feature known as Platform Secure Boot -- which the researchers warn encompasses the large majority of the systems they tested -- a malware infection installed via Sinkclose could be harder yet to detect or remediate, they say, surviving even a reinstallation of the operating system. Only opening a computer's case, physically connecting directly to a certain portion of its memory chips with a hardware-based programming tool known as SPI Flash programmer and meticulously scouring the memory would allow the malware to be removed, Okupski says. Nissim sums up that worst-case scenario in more practical terms: "You basically have to throw your computer away." In a statement shared with WIRED, AMD said it "released mitigation options for its AMD EPYC datacenter products and AMD Ryzen PC products, with mitigations for AMD embedded products coming soon."

The company also noted that it released patches for its EPYC processors earlier this year. It did not answer questions about how it intends to fix the Sinkclose vulnerability.

Cisco will cut thousands of jobs in a second round of layoffs this year as the U.S. networking equipment maker shifts focus to higher-growth areas, including cybersecurity and AI, Reuters reported Friday, citing sources. From the report: The number of people affected could be similar to or slightly higher than the 4,000 employees Cisco laid off in February, and will likely be announced as early as Wednesday with the company's fourth-quarter results, said the sources, who were not authorized to speak publicly.

According to Agrarheute, hackers launched a cyberattack on a Swiss farmer's computer system, disrupting the flow of vital data from a milking robot. Tragically, this led to the death of a cow and her calf. From the report (translated from German into English): According to the CSO, hackers attacked the computers of a farmer from Hagendorn. The dairy farmer's milking robot was also connected to these computers. When the animal owner stopped receiving milking data, he initially suspected a dead zone. But then he learned from the manufacturer of his milking system that he had been hacked. Apparently it was a ransomware attack. The hackers demanded $10,000 to decrypt the data. The farmer considered whether he should give in to the cyber criminals' demands. At first he thought the data on the amount of milk produced was bearable. In addition, the milking robot also worked without a computer or network connection. The cows could therefore continue to be milked.

For one cow , however, the cyberattack ended tragically. The farmer normally receives vital data from his cows via the system. This is particularly important and critical for pregnant animals. One cow's calf died in the womb. Because the computer was paralyzed, Bircher was unable to recognize the emergency in time. They tried everything to at least save the cow, but in the end it had to be put down. Overall, the attack caused monetary damages amounting to the equivalent of over 6,400 euros, mainly due to veterinary costs and the purchase of a new computer. However, the hackers came away empty-handed.

Michael Larabel reports via Phoronix: Intel Linux engineer Colin Ian King discovered that if aligning the slab in the ACPI code via the "SLAB_HWCACHE_ALIGN" flag will offer a measurable improvement in memory performance and reducing the kernel boot time.

Colin explained with this one line kernel patch: "Enabling SLAB_HWCACHE_ALIGN for the ACPI object caches improves boot speed in the ACPICA core for object allocation and free'ing especially in the AML parsing and execution phases in boot. Testing with 100 boots shows an average boot saving in acpi_init of ~35000 usecs compared to the unaligned version. Most of the ACPI objects being allocated and free'd are of very short life times in the critical paths for parsing and execution, so the extra memory used for alignment isn't too onerous."

An anonymous reader quotes a report from Ars Technica: Back in July 2022, when mobile app metrics firm Branch acquired the popular and well-regarded Nova Launcher for Android, the app's site put up one of those self-directed FAQ posts about it. Under the question heading "What does Branch want with Nova?," Nova founder and creator Kevin Barry started his response with, "Not to mess it up, don't worry!" Branch (formerly/sometimes Branch Metrics) is a firm concerned with helping businesses track the links that lead into their apps, whether from SMS, email, marketing, or inside other apps. Nova, with its Sesame Search tool that helped users find and access deeper links -- like heading straight to calling a car, rather than just opening a rideshare app -- seemed like a reasonable fit. Barry wrote that he had received a number of acquisition offers over the years, but he didn't want to be swallowed by a giant corporation, an OEM, or a volatile startup. "Branch is different," he wrote then, because they wanted to add staff to Nova, keep it available to the public, and mostly leave it alone.

Two years later, Branch has left Nova Launcher a bit too alone. As documented on Nova's official X (formerly Twitter) account, and transcripts from its Discord, as of Thursday Nova had "gone from a team of around a dozen people" to just Barry, the founder, working alone. The Nova cuts were part of "a massive layoff" of purportedly more than 100 people across all of Branch, according to now-former Nova workers. Barry wrote that he would keep working on Nova, "However I have less resources." He would need to "cut scope" on an upcoming Nova release, he wrote. Other employees noted that customer support, marketing, and even correspondence would likely be strained or disappear. "While Nova is not dead (despite mine and others' eulogistic tones), it's certainly not positioned to launch bold new features or plot new futures," writes Ars' Kevin Purdy, in closing. "Here's hoping Barry can make a go of Nova Launcher for as long as it's viable for him."

The FCC has proposed new rules governing the use of AI-generated phone calls and texts. Part of the proposal centers on create a clear definition for AI-generated calls, with the rest focuses on consumer protection by making companies disclose when AI is being used in calls or texts. A report adds: "This provides consumers with an opportunity to identify and avoid those calls or texts that contain an enhanced risk of fraud and other scams," the FCC said. The agency is also looking ensure that legitimate uses of AI to assist people with disabilities to communicate remains protected.

Major U.S. companies are tightening eligibility requirements for student discounts, cracking down on graduates who continue to claim benefits years after leaving school. Amazon, Spotify, and other firms are partnering with verification services like SheerID to validate student status, ending an era of lax enforcement that allowed many to exploit discounts long after graduation.

While companies aim to build brand loyalty among young consumers, they're also guarding against fraud. SheerID claims it helped clients avoid $2 billion in fraudulent discounts last year. Most streaming services retain over 90% of student customers after graduation, according to SheerID CEO Stephanie Copeland Weber. "They're building trust and loyalty with those consumers," she told WSJ.

There's a rot at the heart of modern software development that's destroying innovation, and infosec legend Moxie Marlinspike believes he knows exactly what's to blame: Agile development. Marlinspike argued that Agile methodologies, widely adopted over the past two decades, have confined developers to "black box abstraction layers" that limit creativity and understanding of underlying systems.

"We spent the past 20 years onboarding people into software by putting them into black box abstraction layers, and then putting them into organizations composed of black box abstraction layers," Marlinspike said. He contended this approach has left many software engineers unable to do more than derivative work, lacking the deep understanding necessary for groundbreaking developments. Thistle Technologies CEO Window Snyder echoed these concerns, noting that many programmers now lack knowledge of low-level languages and machine code interactions. Marlinspike posited that security researchers, who routinely probe beneath surface-level abstractions, are better positioned to drive innovation in software development.

Stressing science education, China is outpacing other countries in research fields like battery chemistry, crucial to its lead in electric vehicles. From a report: China's domination of electric cars, which is threatening to start a trade war, was born decades ago in university laboratories in Texas, when researchers discovered how to make batteries with minerals that were abundant and cheap. Companies from China have recently built on those early discoveries, figuring out how to make the batteries hold a powerful charge and endure more than a decade of daily recharges. They are inexpensively and reliably manufacturing vast numbers of these batteries, producing most of the world's electric cars and many other clean energy systems.

Batteries are just one example of how China is catching up with -- or passing -- advanced industrial democracies in its technological and manufacturing sophistication. It is achieving many breakthroughs in a long list of sectors, from pharmaceuticals to drones to high-efficiency solar panels. Beijing's challenge to the technological leadership that the United States has held since World War II is evidenced in China's classrooms and corporate budgets, as well as in directives from the highest levels of the Communist Party.

A considerably larger share of Chinese students major in science, math and engineering than students in other big countries do. That share is rising further, even as overall higher education enrollment has increased more than tenfold since 2000. Spending on research and development has surged, tripling in the past decade and moving China into second place after the United States. Researchers in China lead the world in publishing widely cited papers in 52 of 64 critical technologies, recent calculations by the Australian Strategic Policy Institute reveal.

OpenAI's latest AI model, GPT-4o, exhibits unusual behaviors, including voice cloning and random shouting, according to a new "red teaming" report. The model, which powers ChatGPT's Advanced Voice Mode alpha, is OpenAI's first trained on voice, text, and image data. In high-noise environments, GPT-4o occasionally mimics users' voices, a quirk OpenAI attributes to difficulties processing distorted speech. The company said it has implemented a "system-level mitigation" to address this issue. The report also reveals GPT-4o's tendency to generate inappropriate vocalizations and sound effects when prompted.

Bruce66423 writes: Sellafield [U.K.'s largest nuclear site] has apologised after pleading guilty to criminal charges relating to a string of cybersecurity failings at Britain's most hazardous nuclear site, which it admitted could have threatened national security.

Among the failings at the vast nuclear waste dump in Cumbria was the discovery that 75% of its computer servers were vulnerable to cyber-attacks, Westminster magistrates court in London heard. Information that could threaten national security was left exposed for four years, the nuclear watchdog revealed, and Sellafield said it had been performing critical IT health checks that were not, in fact, being carried out.

The Guardian's investigation also revealed concerns about external contractors being able to plug memory sticks into Sellafield's system while unsupervised and that its computer servers were deemed so insecure that the problem was nicknamed Voldemort after the Harry Potter villain because it was so sensitive and dangerous.

The good news is that the problem has been spotted. The bad news is that there can be no meaningful punishment for a government owned company. One can only hope that they will do better in the future.

Microsoft researchers said on Friday that Iran government-tied hackers tried breaking into the account of a "high ranking official" on the U.S. presidential campaign in June, weeks after breaching the account of a county-level U.S. official. From a report: The breaches were part of Iranian groups' increasing attempts to influence the U.S. presidential election in November, the researchers said in a report that did not provide any further detail on the "official" in question.

The report follows recent statements by senior U.S. Intelligence officials that they'd seen Iran ramp up use of clandestine social media accounts with the aim to use them to try to sow political discord in the United States. Iran's mission to the United Nations in New York told Reuters in a statement that its cyber capabilities were "defensive and proportionate to the threats it faces" and that it had no plans to launch cyber attacks.

Toxic PFAS "forever chemicals" that leach from landfills into groundwater are among the major pollution sources in the US, and remain a problem for which officials have yet to find an effective solution. Now new research has identified another route in which PFAS may escape landfills and threaten the environment at even higher levels: the air. From a report: PFAS gas that emits from landfill waste ends up highly concentrated in the facilities' gas treatment systems, but the systems are not designed to manage or destroy the chemicals, and much of them probably end up in the environment.

The findings, which showed up to three times as much PFAS in landfill gas as in leachate, are "definitely an alarming thing for us to see," said Ashley Lin, a University of Florida researcher and the lead author of the study. "These findings suggest that landfill gas, a less scrutinized byproduct, serves as a major pathway for the mobility of PFAS from landfills," the paper's authors wrote.

PFAS are a class of about 16,000 compounds used to make products resistant to water, stains and heat. They are called "forever chemicals" because they do not naturally break down and have been found to accumulate in humans. The chemicals are linked to cancer, birth defects, liver disease, thyroid disease, plummeting sperm counts and a range of other serious health problems. As researchers have begun to understand the chemicals' dangers in recent years, the focus has largely been on water pollution, and regulators have said virtually all leachate from the nation's 200 landfills contain PFAS. But scientists are beginning to understand that PFAS air pollution is also a significant threat.

An anonymous reader writes: Netflix and Crunchyroll titles leaked on Thursday, with full episodes of shows released on social media including the anticipated "Heartstopper" Season 3 and anime fare like "Arcane" and the Season 3 premiere of "Re:Zero."

The leak was first reported internationally, as fans spotted clips of unfinished footage on social media, "One of our post-production partners has been compromised and footage from several of our titles has unfortunately leaked online," a Netflix spokesperson said in a statement exclusively to TheWrap Thursday night. "Our team is aggressively taking action to have it taken down."

Signal developer Moxie Marlinspike criticized early encryption software's user-unfriendly design at Black Hat 2024, admitting he and others initially failed to consider non-technical users' needs. Speaking with Black Hat founder Jeff Moss, Marlinspike said developers of tools like Pretty Good Privacy (PGP) wrongly assumed users would adopt complex practices like running keyservers and signing keys over dinner. "We were just wrong," Marlinspike said, describing this as "software snobbery" that undermined wider adoption. "You take on the complexity instead of making the user deal with it," Marlinspike contrasted PGP's arcane interface with Signal's more accessible design.

The first therapy that uses gene-editing is to be offered on the NHS in a "revolutionary breakthrough" for patients. From a report: It will be used as a potential cure for the blood disorder beta thalassaemia. Stem cells which make blood will be extracted, reprogrammed to correct the condition and returned to the patient's body. It could spare them needing a blood transfusion, every three to five weeks, for life. People with beta thalassaemia struggle to produce enough haemoglobin, which is the protein in red blood cells that carries oxygen around the body. It is a genetic disease that is passed down through families and caused by defects in the body's instructions for manufacturing haemoglobin. It can leave people severely tired, weak, and short of breath and also cuts life expectancy.

QuakeCon 2024 kicks off today with the announcement of enhanced remasters of the first two Doom games, which will feature online cross-platform deathmatch, co-op support for up to 16 players, upgraded visuals, and additional content including a new episode for Doom 2. The compilation, titled DOOM + DOOM 2, runs on the KEX Engine and will include new maps, a newly-updated soundtrack, and support for 4K resolution, with a possible free upgrade for existing console owners. IGN reports: While unconfirmed, it appears that console owners who already own DOOM or DOOM 2 will get the upgrade for free. It's currently available for purchase on Xbox Series X/S for $9.99, though it has been pulled from the Steam store. When it's released, DOOM + DOOM 2 will be perhaps the most comprehensive version of the venerable shooters to date. You can watch the trailer here.

Security researcher Grant Smith uncovered a large-scale smishing scam where scammers posing as the USPS tricked victims into providing their credit card details through fake websites. Smith hacked into the scammers' systems, gathered evidence, and collaborated with the USPS and a US bank to protect over 438,000 unique credit cards from fraudulent activity. Wired reports: The flood of text messages started arriving early this year. They carried a similar thrust: The United States Postal Service is trying to deliver a parcel but needs more details, including your credit card number. All the messages pointed to websites where the information could be entered. Like thousands of others, security researcher Grant Smith got a USPS package message. Many of his friends had received similar texts. A couple of days earlier, he says, his wife called him and said she'd inadvertently entered her credit card details. With little going on after the holidays, Smith began a mission: Hunt down the scammers. Over the course of a few weeks, Smith tracked down the Chinese-language group behind the mass-smishing campaign, hacked into their systems, collected evidence of their activities, and started a months-long process of gathering victim data and handing it to USPS investigators and a US bank, allowing people's cards to be protected from fraudulent activity.

In total, people entered 438,669 unique credit cards into 1,133 domains used by the scammers, says Smith, a red team engineer and the founder of offensive cybersecurity firm Phantom Security. Many people entered multiple cards each, he says. More than 50,000 email addresses were logged, including hundreds of university email addresses and 20 military or government email domains. The victims were spread across the United States -- California, the state with the most, had 141,000 entries -- with more than 1.2 million pieces of information being entered in total. "This shows the mass scale of the problem," says Smith, who is presenting his findings at the Defcon security conference this weekend and previously published some details of the work. But the scale of the scamming is likely to be much larger, Smith says, as he didn't manage to track down all of the fraudulent USPS websites, and the group behind the efforts have been linked to similar scams in at least half a dozen other countries.

An anonymous reader quotes a report from Ars Technica: The past several years have been absolute scorchers, with 2023 being the warmest year ever recorded. And things did not slow down in 2024. As a result, we entered a stretch where every month set a new record as the warmest iteration of that month that we've ever recorded. Last month, that pattern stretched out for a full 12 months, as June of 2024 once again became the warmest June ever recorded. But, despite some exceptional temperatures in July, it fell just short of last July's monthly temperature record, bringing the streak to a close.

Europe's Copernicus system was first to announce that July of 2024 was ever so slightly cooler than July of 2023, missing out on setting a new record by just 0.04 degrees C. So far, none of the other major climate trackers, such as Berkeley Earth or NASA GISS, have come out with data for July. These each have slightly different approaches to tracking temperatures, and, with a margin that small, it's possible we'll see one of them register last month as warmer or statistically indistinguishable. According to the Copernicus system, July 2024 was 0.68 degrees above the average temperature for July from 1991 to 2020. It also included the warmest day ever recorded.

In terms of anomalies, July 2024 also represents the first time in a year that a month was less than 1.5 degrees C above preindustrial temperatures (defined as the average from 1850-1900).

FTX has been ordered to pay $12.7 billion in relief to its customers, according to the Commodity Futures Trading Commission (CFTC). In a statement, CFTC Chairman Rostin Behnam said the crypto exchange drew customers in with "an illusion that it was a safe and secure place to access crypto markets," then misappropriated their customer deposits to make its own risky investments. Reuters reports: The repayment order implements a settlement between the CFTC and the bankrupt crypto exchange, which has committed to a bankruptcy liquidation that will repay customers whose deposits were locked during its late 2022 collapse. FTX has said that its customers will receive 100% recovery on their claims against the company, based on the value of their accounts at the time it filed for bankruptcy. The CFTC agreement resolves a potential roadblock to that repayment, ensuring that the government's lawsuit against FTX will not reduce the funds available to its customers. The CFTC agreed not to collect any payment from FTX until all its customers are repaid, with interest.

The CFTC settlement requires FTX to pay $8.7 billion in restitution and $4 billion in disgorgement, which will be used to further compensate victims for losses suffered during the exchange's collapse. [...] FTX is currently soliciting votes on its bankruptcy proposal but faces opposition from some customers who feel short-changed by the decision to repay them based on much-lower cryptocurrency prices from November 2022. Votes are due on Aug. 16, and FTX intends to seek final approval of its wind-down plan on Oct. 7.