Security

The LastPass Disclosure of Leaked Password Vaults Is Being Torn Apart By Security Experts (theverge.com) 78

Last week, LastPass announced that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident. "While the company insists that your login information is still secure, some cybersecurity experts are heavily criticizing its post, saying that it could make people feel more secure than they actually are and pointing out that this is just the latest in a series of incidents that make it hard to trust the password manager," reports The Verge. Here's an excerpt from the report: LastPass' December 22nd statement was "full of omissions, half-truths and outright lies," reads a blog post from Wladimir Palant, a security researcher known for helping originally develop AdBlock Pro, among other things. Some of his criticisms deal with how the company has framed the incident and how transparent it's being; he accuses the company of trying to portray the August incident where LastPass says "some source code and technical information were stolen" as a separate breach when he says that in reality the company "failed to contain" the breach. He also highlights LastPass' admission that the leaked data included "the IP addresses from which customers were accessing the LastPass service," saying that could let the threat actor "create a complete movement profile" of customers if LastPass was logging every IP address you used with its service.

Another security researcher, Jeremi Gosney, wrote a long post on Mastodon explaining his recommendation to move to another password manager. "LastPass's claim of 'zero knowledge' is a bald-faced lie," he says, alleging that the company has "about as much knowledge as a password manager can possibly get away with." LastPass claims its "zero knowledge" architecture keeps users safe because the company never has access to your master password, which is the thing that hackers would need to unlock the stolen vaults. While Gosney doesn't dispute that particular point, he does say that the phrase is misleading. "I think most people envision their vault as a sort of encrypted database where the entire file is protected, but no -- with LastPass, your vault is a plaintext file and only a few select fields are encrypted."

Palant also notes that the encryption only does you any good if the hackers can't crack your master password, which is LastPass' main defense in its post: if you use its defaults for password length and strengthening and haven't reused it on another site, "it would take millions of years to guess your master password using generally-available password-cracking technology" wrote Karim Toubba, the company's CEO. "This prepares the ground for blaming the customers," writes Palant, saying that "LastPass should be aware that passwords will be decrypted for at least some of their customers. And they have a convenient explanation already: these customers clearly didn't follow their best practices." However, he also points out that LastPass hasn't necessarily enforced those standards. Despite the fact that it made 12-character passwords the default in 2018, Palant says, "I can log in with my eight-character password without any warnings or prompts to change it."

Bitcoin

FTX's Sam Bankman-Fried Borrowed From Alameda To Buy Robinhood Shares (coindesk.com) 71

Former FTX chief Sam Bankman-Fried borrowed hundreds of millions of dollars from Alameda Research to purchase his stake in trading app Robinhood Markets (HOOD), according to court documents (PDF). CoinDesk reports: In an affidavit provided to a Caribbean court before his arrest, Bankman-Fried said he and FTX co-founder Gary Wang together borrowed over $546 million from Alameda via promissory notes in April and May. They used that money to capitalize Emergent Fidelity Technologies Ltd., the shell corporation that in May bought a 7.6% stake of Robinhood. The affidavit provides a new curveball in the three-way race to lay claim to the 56 million Robinhood shares. Crypto lender BlockFi, FTX Group and Bankman-Fried himself have all attempted to lay claim to the shares, which could be worth over $440 million.

Crypto lender BlockFi, which like FTX has filed for bankruptcy, alleged in a court document (PDF) that it was owed the rights to the Robinhood shares due to a deal Bankman-Fried made in early November. The shares were pledged as collateral against a loan taken out by Alameda Research -- the same firm whose funds were used to purchase the shares to begin with, according to Tuesday's filing.

Software

Ask Slashdot: What Note-Taking App Do You Use? 187

An anonymous reader writes: This column about a writer's struggle to find the perfect note-taking app resonated a lot with me. "A singular productivity tool that works for everyone is a unicorn -- beautiful, perfect, and completely fictional. Still, there has to be some sort of middle ground between an unachievable fantasy and the current landscape. I would happily settle for two, maybe three apps. Honestly, less than 10 is all I'm asking for. Until then, my phone and laptop will be a cluttered mess of productivity apps that only do half their jobs," writes Victoria Song.

Over the years, I have tried Notion, Apple Notes, the good old Windows' Notepad, Roam Research, Obsidian, Google Keep, Google Docs, and OneNote among possibly many more that I am unable to recall anymore. Some support Apple Pencil, which is one of the usecases I find useful. Roam Research did not even have a native app for mobile devices for the longest time. Some applications are good, but they don't support online syncing, or support syncing with only a particular storage service. And have you noticed just how expensive some of these apps could get? As much as $15-$30 a month! Out of curiosity, and forget my usecases -- as I admit I have not mentioned many -- how do you maintain your notes for work and personal life. (I have been using physical notepads a lot more in recent months but would like an app for digital notes.)
Microsoft

CNET Touts 'Massive' Microsoft Office Deal: 91% Discount on a Lifetime License (cnet.com) 80

Meanwhile, over in the Microsoft ecosystem, CNET reports: You can ditch the subscription (with recurring charges) and snag a lifetime license of access to Microsoft's Word, Excel, PowerPoint, Outlook, Teams, OneNote, Publisher and Access for just $30...

That's back at the lowest price we've ever seen, and a whopping 91% off the usual price of $349.

However, this deal expires in just a few days, so be sure to get your order in soon.The offer, from StackSocial, applies to both the Windows and Mac version of the software.

Now, you can always opt to use the free online version of Microsoft Office (which has far fewer features). But compared to the online Microsoft 365 subscription suite that costs $10 per month or $100 per year, this downloadable version is a phenomenal bargain.

The Mac deal ends today, but the Windows deal extends through December 28th, according to CNET's article. "The two big caveats: You get a single key — which only works on a single computer — and there's no Microsoft OneDrive Cloud Storage included."
Cloud

LastPass: Hackers Stole Customer Vault Data In Cloud Storage Breach (bleepingcomputer.com) 38

LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident. BleepingComputer reports: This follows a previous update issued last month when the company's CEO, Karim Toubba, only said that the threat actor gained access to "certain elements" of customer information. Today, Toubba added that the cloud storage service is used by LastPass to store archived backups of production data. The attacker gained access to Lastpass' cloud storage using "cloud storage access key and dual storage container decryption keys" stolen from its developer environment.

"The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," Toubba said today. "The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data."

Fortunately, the encrypted data is secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password. According to Toubba, the master password is never known to LastPass, it is not stored on Lastpass' systems, and LastPass does not maintain it. Customers were also warned that the attackers might try to brute force their master passwords to gain access to the stolen encrypted vault data. However, this would be very difficult and time-consuming if you've been following password best practices recommended by LastPass. If you do, "it would take millions of years to guess your master password using generally-available password-cracking technology," Toubba added. "Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass' Zero Knowledge architecture."

Bitcoin

FTX Asks Judge For Help In Fight Over Robinhood Shares Worth About $450 Million (coindesk.com) 7

FTX sought a U.S. bankruptcy court's help amid a battle over ownership of about $450 million worth of stock in Robinhood Markets (HOOD), according to a filing (PDF) Thursday. CoinDesk reports: At issue are about 56 million shares of the brokerage owned by Emergent Fidelity Technologies Ltd., a corporate entity organized in Antigua and Barbuda and 90% controlled by former FTX CEO Sam Bankman-Fried, according to the filing. Three parties, the filing says, have tried to get control of those shares: BlockFi (a lender that FTX had helped prop up earlier this year), Yonathan Ben Shimon (an FTX creditor appointed as a receiver in Antigua and granted permission to sell the shares under supervision of a court there) and Bankman-Fried himself (who has legal bills).

FTX's bankruptcy estate told ED&F Man Capital Markets, the brokerage where the shares are parked, to freeze the stock around the time the Chapter 11 case began on Nov. 11. FTX has determined that Emergent only "nominally" owns the shares and that they truly belong to FTX. "Emergent is a special-purpose holding company that appears to have no other business," the crypto exchange said in the filing. The judge overseeing the bankruptcy case should force the shares to remain frozen while FTX tries to figure out how to repay all its creditors, FTX argued in the filing.

Desktops (Apple)

Apple Scales Back High-End Mac Pro Plans, Weighs Production Move To Asia (bloomberg.com) 33

An anonymous reader quotes a report from Bloomberg, written by Mark Gurman: The new high-end Mac Pro with Apple silicon is behind schedule, and you can blame changes to the company's chip and manufacturing plans. When Apple announced plans in June 2020 to transition away from Intel processors to Mac chips designed in-house, the company said the move would take about two years. Now at the tail end of 2022, it's clear that Apple has missed its self-imposed deadline for completing the shift. In addition to not offering a Mac Pro with Apple silicon, the company still only sells the high-end version of the Mac mini desktop in an Intel flavor. While Apple has said little to nothing about its future Mac desktops or the reasons behind the holdup, the company continues to actively test an all-new Mac Pro and an M2 Pro-based Mac mini to replace the remaining Intel models. Apple had aimed to introduce the new Mac Pro by now, but the high-end machine has been held up for a number of reasons, including multiple changes to its features, a significant shift in the company's plans for high-end processors and a potential relocation of its manufacturing.

When Apple first set out to build a replacement for the Intel Mac Pro, it planned a machine with a processor based on the original M1 chip. The approach called for two main configurations: one chip equal to the power of two M1 Max processors -- the highest-end MacBook Pro chip -- and another equal to four M1 Max components combined. The dual M1 Max chip ended up first launching in the Mac Studio as the M1 Ultra, and Apple decided to push back the Mac Pro to the M2 generation. The company then planned for the Mac Pro to come in two configurations: an M2 Ultra version and a double-M2 Ultra that I've dubbed the "M2 Extreme." The M2 Ultra chip is destined to have some serious specifications for professional users, including up to 24 CPU cores, 76 graphics cores and the ability to top out the machine with at least 192 gigabytes of memory. An M2 Extreme chip would have doubled that to 48 CPU cores and 152 graphics cores. But here's the bad news: The company has likely scrapped that higher-end configuration, which may disappoint Apple's most demanding users -- the photographers, editors and programmers who prize that kind of computing power.

The company made the decision because of both the complexity and cost of producing a processor that is essentially four M2 Max chips fused together. It also will help Apple and partner Taiwan Semiconductor Manufacturing Co. save chip-production resources for higher-volume machines. Moreover, there are concerns about how much consumers are willing to spend. Using the highest-end M1 Ultra chip pushes the Mac Studio up to $5,000 -- only $1,000 less than the current Mac Pro. That's $3,000 more than the M1 Max Mac Studio. Based on Apple's current pricing structure, an M2 Extreme version of a Mac Pro would probably cost at least $10,000 -- without any other upgrades -- making it an extraordinarily niche product that likely isn't worth the development costs, engineering resources and production bandwidth it would require. Instead, the Mac Pro is expected to rely on a new-generation M2 Ultra chip (rather than the M1 Ultra) and will retain one of its hallmark features: easy expandability for additional memory, storage and other components.
Gurman says the Mac Mini update "will come in regular M2 and M2 Pro variations, while new 14-inch and 16-inch MacBook Pros are arriving early next year with M2 Pro and M2 Max options." A high-end iMac Pro with Apple silicon is also in the works, "but that machine has suffered internal delays for similar reasons as the Mac Pro," he notes.

In addition, Gurman says Apple is "working on multiple new external monitors [...], including an update to the Pro Display XDR that was launching alongside the Intel Mac Pro in 2019." The new monitors will also include Apple silicon.
Technology

Who Really Invented the Thumb Drive? (ieee.org) 134

IEEE Spectrum: In 2000, at a trade fair in Germany, an obscure Singapore company called Trek 2000 unveiled a solid-state memory chip encased in plastic and attached to a Universal Serial Bus (USB) connector. The gadget, roughly the size of a pack of chewing gum, held 8 megabytes of data and required no external power source, drawing power directly from a computer when connected. It was called the ThumbDrive. That device, now known by a variety of names -- including memory stick, USB stick, flash drive, as well as thumb drive -- changed the way computer files are stored and transferred. Today it is familiar worldwide. The thumb drive was an instant hit, garnering hundreds of orders for samples within hours. Later that year, Trek went public on the Singapore stock exchange, and in four months -- from April through July 2000 -- it manufactured and sold more than 100,000 ThumbDrives under its own label.

Before the invention of the thumb drive, computer users stored and transported their files using floppy disks. Developed by IBM in the 1960s, first 8-inch and later 5 1/4-inch and 3 1/2-inch floppy disks replaced cassette tapes as the most practical portable storage media. Floppy disks were limited by their relatively small storage capacity -- even double-sided, double-density disks could store only 1.44 MB of data. During the 1990s, as the size of files and software increased, computer companies searched for alternatives. Personal computers in the late 1980s began incorporating CD-ROM drives, but initially these could read only from prerecorded disks and could not store user-generated data. The Iomega Zip Drive, called a "superfloppy" drive and introduced in 1994, could store up to 750 MB of data and was writable, but it never gained widespread popularity, partly due to competition from cheaper and higher-capacity hard drives.

Computer users badly needed a cheap, high-capacity, reliable, portable storage device. The thumb drive was all that -- and more. It was small enough to slip in a front pocket or hang from a keychain, and durable enough to be rattled around in a drawer or tote without damage. With all these advantages, it effectively ended the era of the floppy disk. But Trek 2000 hardly became a household name. And the inventor of the thumb drive and Trek's CEO, Henn Tan, did not become as famous as other hardware pioneers like Robert Noyce, Douglas Engelbart, or Steve Jobs. Even in his home of Singapore, few people know of Tan or Trek. Why aren't they more famous? After all, mainstream companies including IBM, TEAC, Toshiba, and, ultimately, Verbatim licensed Trek's technology for their own memory stick devices. And a host of other companies just copied Tan without permission or acknowledgment.

Technology

How Amazon Put Ukraine's 'Government in a Box' (latimes.com) 23

An anonymous reader shares a report: Since Februrary, Amazon has been playing Santa Claus to Ukraine, delivering planeloads of goods, including blankets, hygiene kits, diapers, food and toys, for the war-torn nation and refugees in Poland and other parts of Europe. But long term, what's more important to Ukrainians than the gifts coming in is what's going out: massive amounts of government, tax, banking and property data vulnerable to destruction and abuse should Russian invaders get their hands on it. Since the day Russia launched its invasion Feb. 24, Amazon has been working closely with the Ukrainian government to download essential data and ferry it out of the country in suitcase-sized solid-state computer storage units called Snowball Edge, then funneling the data into Amazon's cloud computing system.

"This is the most technologically advanced war in human history," said Mykhailo Fedorov, Ukraine's 31-year-old vice prime minister and minister of digital transformation, referring not just to weapons but data too. Amazon Web Services' "leadership made a decision that saved the Ukrainian government and economy." Amazon has invested $75 million so far in its Ukraine effort, which includes the data transfer via the Snowballs. Fedorov, speaking at a tech conference in Las Vegas this month, called it "priceless." The data, 10 million gigabytes so far, represent "critical information infrastructure. This is core for operation of the economy, of the tax system, of banks, and the government overall," he said. The data also include property records whose safekeeping can help prevent theft of Ukrainian homes, businesses and land.

Through history, invaders have "come in and staged fake referendum and parceled out the land to their chums," said Liam Maxwell, head of government transformation at Amazon Web Services, the company's highly profitable cloud computing arm. "That kind of thing has been happening since William the Conquerer." The Odessa Journal newspaper reported in June that residents of the Russian-occupied city of Mariupol whose homes had been destroyed were being moved into the homes of citizens who had fled the area, and were being forced to find those who left and pressure them to cooperate in some fashion with the Russians. Maxwell, who's based in London, had already been working with Ukraine for years when it became clear by January that Russia planned to attack the country.

Data Storage

New Nonprofit 'Flickr Foundation' Hopes to Preserve Its Billions of Photos For 100 Years (popphoto.com) 22

"Content of every type disappears from the internet all the time..." writes Popular Photography's long-time "gear editor" (for photography equipment).

But someone's doing something about it: the newly-founded Flickr Foundation, which has announced plans "to make sure Flickr will be preserved for future generations." Or, as Popular Photography puts it, to stop photos "from suffering the same ill fate as our MySpace photos" — providing the example of important historical photos.

One particular collection their article notes is The Flickr Commons, "started back in 2008 as a collaborative effort with the Library of Congress to make publicly held photography collections readily available online for people seeking them out." It's a massive, eclectic, fascinating archive that pulls images and content from around the world. This new organization hopes to integrate more partners and ensure that everything remains available and easily accessible.... If you're not already familiar with The Commons, it's a really fascinating online resource. It grants access to everything from historical portraits to scientific images and everything in between. It's easy to get lost in the sheer volume of images available on the site, but Flickr relies on curators in order to bring notable images to the forefront and keep things organized and available.

With the establishment of the new foundation, Flickr hopes that it can keep this archive running to 2122 and beyond. It will doubtlessly add countless more images along the way.

Flickr is currently hiring a new archivist, according to their announcement (which also points out that the Flickr API was one of the first public APIs ever).

Among other things, it says that the foundation hopes to "investigate preservation strategies that could last for the next century,"
Open Source

Linux Foundation Announces an Open Map Project and 'Open Metaverse Foundation' (linuxfoundation.org) 32

The Linux Foundation "sponsors the work of Linux creator Linus Torvalds and lead maintainer Greg Kroah-Hartman," according to its page on Wikipedia. And now the Linux Foundation "is pleased to announce the launch of the Overture Maps Foundation," according to their December newsletter.

It's a collaborative effort "to enable current and next-generation map products by creating reliable, easy-to-use, and interoperable open map data as a shared asset that can strengthen mapping services worldwide." The initiative was founded by Amazon Web Services (AWS), Meta, Microsoft, and TomTom and is open to all communities with a common interest in building open map data. To get involved, please visit overturemaps.org.
And they're also announcing plans to form the Open Metaverse Foundation: In October, we brought top experts from diverse sectors together with leaders from many of the projects across the Linux Foundation to discuss what it will take to transform the emerging concept of the Metaverse from promise to reality.... As the next step in this amazing journey, we welcome the Open Metaverse Foundation (OMF) into the Linux Foundation as another piece of the puzzle. With your help, we can realize the promise of the open Metaverse. Learn more about what's next, join us, and get involved at openmv.org.
The Foundation has also published three new research papers:

The newsletter also points out that through Tuesday the foundation is offering 35% off any of their training courses, certifications, bundles or bootcamps.


Open Source

PineTab 2 Is Another Try At a Linux-Based Tablet, Without the 2020 Supply Crunch (arstechnica.com) 36

An anonymous reader quotes a report from Ars Technica: Pine64, makers of ARM-based, tinker-friendly gadgets, is making the PineTab 2, a sequel to its Linux-powered tablet that mostly got swallowed up by the pandemic and its dire global manufacturing shortages. The PineTab 2, as described in Pine64's "December Update," is based around the RK3566, made by RockChip. Pine64 based its Quartz64 single-board system on the system-on-a-chip (SoC), and has all but gushed about it across several blog posts. It's "a dream-of-a-SoC," writes Community Director Lukasz Erecinski, a "modern mid-range quad-core Cortex-A55 processor that integrates a Mali-G52 MP2 GPU. And it should be ideal for space-constrained devices: it runs cool, has a variety of I/O options, solid price-to-performance ratio, and "is genuinely future-proof."

The PineTab 2 is a complete redesign, Erecinski claims. It has a metal chassis that "is very sturdy while also being easy to disassemble for upgrades, maintenance, and repair." The tablet comes apart with snap-in tabs, and Pine64 will offer replacement parts. The insides are modular, too, with the eMMC storage, camera, daughter-board, battery, and keyboard connector all removable "in under 5 minutes." The 10.1-inch IPS display, with "modern and reasonably thin bezels," should also be replaceable, albeit with more work. On that easily opened chassis are two USB-C ports, one for USB 3.0 I/O and one for charging (or USB 2.0 if you want). There's a dedicated micro-HDMI port, and a front-facing 2-megapixel camera and rear-facing 5-megapixel (not the kind of all-in-one media production machine Apple advertises, this tablet), a microSD slot, and a headphone jack. While a PCIe system is exposed inside the PineTab, most NVMe SSDs will not fit, according to Pine64. All of this is subject to change before final production, however.

As with the original PineTab, this model comes with a detachable, backlit keyboard cover, included by default. That makes supporting a desktop OS for the device far more viable, Erecinski writes. The firmware chipset is the same as in the PineBook Pro, which should help with that. No default OS has been decided as of yet, according to Pine64. The tablet should ship with two memory/storage variants, 4GB/64GB and 8GB/128GB. It's due to ship "sometime after the Chinese New Year" (January 22 to February 5), though there's no firm date. No price was announced, but "it will be affordable regardless of which version you'll settle on."
A video version of the "December Update" can be found on YouTube.
Transportation

Tesla Launches Steam In Its Cars With Thousands of Games (electrek.co) 105

Tesla has launched Steam integration inside its Model S and Model X electric cars with thousands of games now playable. Electrek reports: Today, Tesla launched Steam Beta for Model S and Model X as part of its "holiday update." We reported all the details of Tesla's holiday update earlier today for most Tesla vehicles, but the Steam integration is only for the refreshed Model S and Model X produced over the last two years. That's because Tesla's two flagship vehicles are equipped with a more powerful entertainment computer designed for video games.

With the unveiling of the new Model S and Model X, Tesla announced the new gaming computer: "Up to 10 teraflops of processing power enables in-car gaming on-par with today's newest consoles via Tesla Arcade. Wireless controller compatibility allows gaming from any seat." A known chip leaker, Patrick Schur, posted a diagram of Tesla's new gaming computer powered by the AMD Navi 23 GPU. The system is integrated and connects directly to two touchscreens inside the Model S and Model X to play games, watch entertainment, and perform other functions. Musk also revealed that the new computer has more storage space to be able to handle more games on the platform at the same time, which is going to be useful to handle your Steam library.
The holiday update also brings support for Apple Music, an update to Dog Mode, improvements to Tesla's "Light Show" feature, and a bunch of smaller features/updates.
Data Storage

Linux Kernel Fixes Longstanding Bug in Its Handling of Floppy Disks (theregister.com) 57

"Linux kernel 6.2 should contain fixes for some problems handling floppy disks," reports the Register, "a move which shows that someone somewhere is still using them." This isn't the only such fix in recent years. As a series of articles on Phoronix details, there has been a slow but steady flow of fixes for the kernel's handling of floppy drives since at least kernel 5.17, as The Register mentioned when it came out....

Back in July 2016, SUSE kernel developer Jiri Kosina submitted a patch. The problem arose because this change broke something else and later got reverted, and so the problem hung around. In July last year, he sent in a new patch that fixed it again for the 5.12 kernel, and was later back-ported to 5.10, an LTS version, and again into kernel 5.15 — another an LTS version, and the one you're running today if you're on the current Ubuntu LTS release, or something built from it such as Linux Mint 21....

Now, in December 2022, a new patch for the forthcoming kernel 6.2 fixes a memory leak that dates back to 5.11 or before.

Security

Cyberattack On Top Indian Hospital Highlights Security Risk (apnews.com) 5

An anonymous reader quotes a report from the Associated Press: The leading hospital in India's capital limped back to normalcy on Wednesday after a cyberattack crippled its operations for nearly two weeks. Online registration of patients resumed Tuesday after the hospital was able to access its server and recover lost data. The hospital worked with federal authorities to restore the system and strengthen its defenses. It's unclear who conducted the Nov. 23 attack on the All India Institute of Medical Sciences or where it originated.

The attack was followed by a series of failed attempts to hack India's top medical research organization, the Indian Council of Medical Research. This raised further concerns about the vulnerability of India's health system to attacks at a time when the government is pushing hospitals to digitize their records. More than 173,000 hospitals have registered with a federal program to digitize health records since its launch in September 2021. The program assigns patients numbers that are linked to medical information stored by hospitals on their own servers or in cloud-based storage. Experts fear that hospitals may not have the expertise to ensure digital security.

"Digitizing an entire health care system without really safeguarding it can pretty much kill an entire hospital. It suddenly stops functioning," said Srinivas Kodali, a researcher with the Free Software Movement of India. That is what happened to the hospital in New Delhi. Healthcare workers couldn't access patient reports because the servers that store laboratory data and patient records had been hacked and corrupted. The hospital normally treats thousands of people a day, many of whom travel from distant places to access affordable care. Always crowded, queues at the hospital grew even longer and more chaotic. Sandeep Kumar, who accompanied his ill father, said the digital attack meant that appointments couldn't be booked online, and that doctors could do little when they saw patients because they couldn't access their medical history.

Security

Samsung Galaxy S22 Hacked Again On Second Day of Pwn2Own (bleepingcomputer.com) 18

Contestants hacked the Samsung Galaxy S22 again during the second day of the consumer-focused Pwn2Own 2022 competition in Toronto, Canada. They also demoed exploits targeting zero-day vulnerabilities in routers, printers, smart speakers, and Network Attached Storage (NAS) devices from HP, NETGEAR, Synology, Sonos, TP-Link, Canon, Lexmark, and Western Digital. BleepingComputer reports: Security researchers representing the vulnerability research company Interrupt Labs were the ones to demonstrate a successful exploit against Samsung's flagship device on Wednesday. They executed an improper input validation attack and earned $25,000, 50% of the total cash award, because this was the third time the Galaxy S22 was hacked during the competition.

On the first day of Pwn2Own Toronto, the STAR Labs team and a contestant known as Chim demoed two other zero-day exploits as part of successful improper input validation attacks against the Galaxy S22. In all three cases, according to the contest rules, the devices ran the latest version of the Android operating system with all available updates installed.

The second day of Pwn2Own Toronto wrapped up with Trend Micro's Zero Day Initiative awarding $281,500 for 17 unique bugs across multiple categories. This brings the first two days of Pwn2Own total to $681,250 awarded for 46 unique zero-days, as ZDI's Head of Threat Awareness Dustin Childs revealed. The full schedule for Pwn2Own Toronto 2022's second day and the results for each challenge are available here. You can also find the complete schedule of the competition here.

Earth

2022's 'Earthshot Prizes' Recognize Five Innovative Responses to Climate Change (bbc.com) 32

"Childhood friends in Oman who figured out how to turn carbon dioxide into rock are among five winners chosen for the Prince of Wales's prestigious Earthshot Prize," reports the BBC: The annual awards were created by Prince William to fund projects that aim to save the planet. Each winner will receive £1m ($1.2m) to develop their innovation.... "I believe that the Earthshot solutions you have seen this evening prove we can overcome our planet's greatest challenges," Prince William said during the ceremony. "By supporting and scaling them we can change our future," he said.
1,500 projects were nominated, according to the event's web site. Here's the five winners:
  • A Kenya-based company producing stoves powered by processed biomass (made from charcoal, wood and sugarcane) that "burns cleaner, creating 90% less pollution than an open fire," while cutting fuel costs in half.
  • The Indian startup behind Greenhouse-in-a-box. "Plants in the greenhouse require 98% less water than those outdoors and yields are seven-times higher," explains the site, while the greenhouses themselves are 90% cheaper than a standard greenhouse, "more than doubling farmers' incomes [while] using less water and fewer pesticides."
  • A Queensland-based program to expand the network of rangers using drones to monitor reefs and wildfires while sharing information and innovative ideas.
  • The company 44.01 removes CO2 permanently by mineralising it in peridotite, accelerating the natural process by pumping carbonated water into peridotite underground. (Unlike carbon storage, "mineralizing" CO2 removes it forever, making the process safer, cost-effective, and scalable.)

Five prizes will be awarded each year until 2030.


Security

Lastpass Says Hackers Accessed Customer Data In New Breach (bleepingcomputer.com) 81

AmiMoJo writes: LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022. The company added that, once in, the threat actors also managed to access customer data stored in the compromised storage service. "We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo," the company said. "We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers' information." Lastpass said it hired security firm Mandiant to investigate the incident and notified law enforcement of the attack. It also noted that customers' passwords have not been compromised and "remain safely encrypted due to LastPass's Zero Knowledge architecture."
Cloud

OpenStack Cloud Sees Explosive Growth (zdnet.com) 21

An anonymous reader quotes a report from ZDNet: One bit of accepted wisdom in some cloud circles is that OpenStack, the open-source Infrastructure as a Service (IaaS) cloud, is declining. Nothing could be further from the truth. It's alive, well, and growing like crazy. According to the 2022 OpenStack User Survey, OpenStack now has over 40 million production cores. Or, in other words, it's seen 60% growth since 2021 and a 166% jump since 2020. Not bad for a so-called also-run, eh? It's not just telecoms, where OpenStack has become the backbone of major cell companies such as China Mobile and Verizon. Nor is it just other major companies such as the Japanese instant messaging service LINE, the on-demand, cloud-based financial management service company Workday, Walmart Labs, and Yahoo. No, many other, much smaller companies have also staked their cloud future on OpenStack.

Why? There are many reasons. As Jonathan Bryce, executive director of the Open Infrastructure Foundation (OpenInfra Foundation), OpenStack's parent organization, said, "OpenStack supports the ever-changing world of infrastructure where now we have GPUs, FPGAs, smart NICs, and smart storage. At the same time, you can still get direct access to the underlying hardware." This, in turn, enables "OpenStack users to create such amazing things as telecom cloud workloads on the cloud that can do edge transcoding video. With this, people can watch 4K videos on their phones using 5G." Another reason for OpenStack's growing popularity is its Kubernetes integration. Thanks to Linux OpenStack Kubernetes Infrastructure (LOKI), Kubernetes is now deployed on over 85% of OpenStack deployments. In addition, Magnum, the OpenStack container orchestration service, is also gaining popularity. 21% of users are now running production workloads with it. [...] Kubernetes is also very useful with hybrid clouds. OpenStack is often used in hybrid clouds. Indeed, 80% of OpenStack users are deploying it in hybrid clouds. To make it easier to build out hybrid clouds, operators are turning to Octavia, an open-source, operator-scale load-balancing program. Today, not quite 50% of OpenStack deployments are using Octavia.
OpenInfra Foundation's general manager Thierry Carrez said: "Hype is nice, but substance lasts, and as OpenStack deployments continue to grow in staggering numbers, the OpenStack community is proving that it's not only alive and well, but also delivering indisputable value to organizations."
Encryption

Dropbox Acquires Boxcryptor Assets To Bring Zero-Knowledge Encryption To File Storage (techcrunch.com) 12

An anonymous reader quotes a report from TechCrunch: Dropbox has announced plans to bring end-to-end encryption to its business users, and it's doing so through acquiring "key assets" from Germany-based cloud security company Boxcryptor. Terms of the deal were not disclosed. Dropbox is well-known for its cloud-based file back-up and sharing services, and while it does offer encryption for files moving between its servers and the destination, Dropbox itself has access to the keys and can technically view any content passing through. What Boxcryptor brings to the table is an extra layer of security via so-called "zero knowledge" encryption on the client side, giving the user full control over who is allowed to decrypt their data.

For many people, such as consumers storing family photos or music files, this level of privacy might not be a major priority. But for SMEs and enterprises, end-to-end encryption is a big deal as it ensures that no intermediary can access their confidential documents stored in the cloud -- it's encrypted before it even arrives. Moving forward, Dropbox said that it plans to bake Boxcryptor's features natively into Dropbox for business users.
"In a blog post published today, Boxcryptor founders Andrea Pfundmeier and Robert Freudenreich say that their 'new mission' will be to embed Boxcryptor's technology into Dropbox," adds TechCrunch. "And after today, nobody will be able to create an account or buy any licenses from Boxcryptor -- it's effectively closing to new customers."

"But there are reasons why the news is being packaged the way it has. The company is continuing to support existing customers through the duration of their current contracts."

Slashdot Top Deals