Security

Samsung Galaxy S22 Hacked Again On Second Day of Pwn2Own (bleepingcomputer.com) 18

Contestants hacked the Samsung Galaxy S22 again during the second day of the consumer-focused Pwn2Own 2022 competition in Toronto, Canada. They also demoed exploits targeting zero-day vulnerabilities in routers, printers, smart speakers, and Network Attached Storage (NAS) devices from HP, NETGEAR, Synology, Sonos, TP-Link, Canon, Lexmark, and Western Digital. BleepingComputer reports: Security researchers representing the vulnerability research company Interrupt Labs were the ones to demonstrate a successful exploit against Samsung's flagship device on Wednesday. They executed an improper input validation attack and earned $25,000, 50% of the total cash award, because this was the third time the Galaxy S22 was hacked during the competition.

On the first day of Pwn2Own Toronto, the STAR Labs team and a contestant known as Chim demoed two other zero-day exploits as part of successful improper input validation attacks against the Galaxy S22. In all three cases, according to the contest rules, the devices ran the latest version of the Android operating system with all available updates installed.

The second day of Pwn2Own Toronto wrapped up with Trend Micro's Zero Day Initiative awarding $281,500 for 17 unique bugs across multiple categories. This brings the first two days of Pwn2Own total to $681,250 awarded for 46 unique zero-days, as ZDI's Head of Threat Awareness Dustin Childs revealed. The full schedule for Pwn2Own Toronto 2022's second day and the results for each challenge are available here. You can also find the complete schedule of the competition here.

Earth

2022's 'Earthshot Prizes' Recognize Five Innovative Responses to Climate Change (bbc.com) 32

"Childhood friends in Oman who figured out how to turn carbon dioxide into rock are among five winners chosen for the Prince of Wales's prestigious Earthshot Prize," reports the BBC: The annual awards were created by Prince William to fund projects that aim to save the planet. Each winner will receive £1m ($1.2m) to develop their innovation.... "I believe that the Earthshot solutions you have seen this evening prove we can overcome our planet's greatest challenges," Prince William said during the ceremony. "By supporting and scaling them we can change our future," he said.
1,500 projects were nominated, according to the event's web site. Here's the five winners:
  • A Kenya-based company producing stoves powered by processed biomass (made from charcoal, wood and sugarcane) that "burns cleaner, creating 90% less pollution than an open fire," while cutting fuel costs in half.
  • The Indian startup behind Greenhouse-in-a-box. "Plants in the greenhouse require 98% less water than those outdoors and yields are seven-times higher," explains the site, while the greenhouses themselves are 90% cheaper than a standard greenhouse, "more than doubling farmers' incomes [while] using less water and fewer pesticides."
  • A Queensland-based program to expand the network of rangers using drones to monitor reefs and wildfires while sharing information and innovative ideas.
  • The company 44.01 removes CO2 permanently by mineralising it in peridotite, accelerating the natural process by pumping carbonated water into peridotite underground. (Unlike carbon storage, "mineralizing" CO2 removes it forever, making the process safer, cost-effective, and scalable.)

Five prizes will be awarded each year until 2030.


Security

Lastpass Says Hackers Accessed Customer Data In New Breach (bleepingcomputer.com) 81

AmiMoJo writes: LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022. The company added that, once in, the threat actors also managed to access customer data stored in the compromised storage service. "We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo," the company said. "We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers' information." Lastpass said it hired security firm Mandiant to investigate the incident and notified law enforcement of the attack. It also noted that customers' passwords have not been compromised and "remain safely encrypted due to LastPass's Zero Knowledge architecture."
Cloud

OpenStack Cloud Sees Explosive Growth (zdnet.com) 21

An anonymous reader quotes a report from ZDNet: One bit of accepted wisdom in some cloud circles is that OpenStack, the open-source Infrastructure as a Service (IaaS) cloud, is declining. Nothing could be further from the truth. It's alive, well, and growing like crazy. According to the 2022 OpenStack User Survey, OpenStack now has over 40 million production cores. Or, in other words, it's seen 60% growth since 2021 and a 166% jump since 2020. Not bad for a so-called also-run, eh? It's not just telecoms, where OpenStack has become the backbone of major cell companies such as China Mobile and Verizon. Nor is it just other major companies such as the Japanese instant messaging service LINE, the on-demand, cloud-based financial management service company Workday, Walmart Labs, and Yahoo. No, many other, much smaller companies have also staked their cloud future on OpenStack.

Why? There are many reasons. As Jonathan Bryce, executive director of the Open Infrastructure Foundation (OpenInfra Foundation), OpenStack's parent organization, said, "OpenStack supports the ever-changing world of infrastructure where now we have GPUs, FPGAs, smart NICs, and smart storage. At the same time, you can still get direct access to the underlying hardware." This, in turn, enables "OpenStack users to create such amazing things as telecom cloud workloads on the cloud that can do edge transcoding video. With this, people can watch 4K videos on their phones using 5G." Another reason for OpenStack's growing popularity is its Kubernetes integration. Thanks to Linux OpenStack Kubernetes Infrastructure (LOKI), Kubernetes is now deployed on over 85% of OpenStack deployments. In addition, Magnum, the OpenStack container orchestration service, is also gaining popularity. 21% of users are now running production workloads with it. [...] Kubernetes is also very useful with hybrid clouds. OpenStack is often used in hybrid clouds. Indeed, 80% of OpenStack users are deploying it in hybrid clouds. To make it easier to build out hybrid clouds, operators are turning to Octavia, an open-source, operator-scale load-balancing program. Today, not quite 50% of OpenStack deployments are using Octavia.
OpenInfra Foundation's general manager Thierry Carrez said: "Hype is nice, but substance lasts, and as OpenStack deployments continue to grow in staggering numbers, the OpenStack community is proving that it's not only alive and well, but also delivering indisputable value to organizations."
Encryption

Dropbox Acquires Boxcryptor Assets To Bring Zero-Knowledge Encryption To File Storage (techcrunch.com) 12

An anonymous reader quotes a report from TechCrunch: Dropbox has announced plans to bring end-to-end encryption to its business users, and it's doing so through acquiring "key assets" from Germany-based cloud security company Boxcryptor. Terms of the deal were not disclosed. Dropbox is well-known for its cloud-based file back-up and sharing services, and while it does offer encryption for files moving between its servers and the destination, Dropbox itself has access to the keys and can technically view any content passing through. What Boxcryptor brings to the table is an extra layer of security via so-called "zero knowledge" encryption on the client side, giving the user full control over who is allowed to decrypt their data.

For many people, such as consumers storing family photos or music files, this level of privacy might not be a major priority. But for SMEs and enterprises, end-to-end encryption is a big deal as it ensures that no intermediary can access their confidential documents stored in the cloud -- it's encrypted before it even arrives. Moving forward, Dropbox said that it plans to bake Boxcryptor's features natively into Dropbox for business users.
"In a blog post published today, Boxcryptor founders Andrea Pfundmeier and Robert Freudenreich say that their 'new mission' will be to embed Boxcryptor's technology into Dropbox," adds TechCrunch. "And after today, nobody will be able to create an account or buy any licenses from Boxcryptor -- it's effectively closing to new customers."

"But there are reasons why the news is being packaged the way it has. The company is continuing to support existing customers through the duration of their current contracts."
Cloud

Anker's Eufy Cameras Caught Uploading Content To the Cloud Without User Consent (macrumors.com) 33

Anker's popular Eufy-branded security cameras appear to be sending some data to the cloud, even when cloud storage is disabled and local only storage settings are turned on. MacRumors reports: The information comes from security consultant Paul Moore, who last week published a video outlining the issue. According to Moore, he purchased a Eufy Doorbell Dual, which was meant to be a device that stored video recording on device. He found that Eufy is uploading thumbnail images of faces and user information to its cloud service when cloud functionality is not enabled. Moore demonstrates the unauthorized cloud uploading by allowing his camera to capture his image and turning off the Eufy HomeBase. The website is still able to access the content through cloud integration, though he had not signed up for cloud service, and it remains accessible even when the footage is removed from the Eufy app. It's important to note that Eufy does not appear to be automatically uploading full streaming video to the cloud, but rather taking captures of the video as thumbnails.

The thumbnails are used in the Eufy app to activate streaming video from the Eufy base station, allowing Eufy users to watch their videos when away from home, as well as for sending rich notifications. The problem is the thumbnails are uploaded to the cloud automatically even when the cloud functionality is not active, and Eufy also seems to be using facial recognition on the uploads. Some users have taken issue with the unauthorized cloud uploads because Eufy advertises local-only service and has been popular among those who want a more private camera solution. "No Clouds or Costs," reads the Eufy website. Moore suggests that Eufy is also able to link facial recognition data collected from two separate cameras and two separate apps to users, all without camera owners being aware.

Moore received a response from Eufy in which Eufy confirmed that it is uploading event lists and thumbnails to AWS, but said the data is not able to "leak to the public" because the URL is restricted, time limited, and requires account login. There is also another issue that Moore has highlighted, suggesting Eufy camera streams can be watched live using an app like VLC, but little information on the exploit is available at this time. Moore said that unencrypted Eufy camera content can be accessed without authentication, which is alarming for Eufy users.
There's a dedicated Reddit thread where other Eufy users are reporting the same thing happening.
Data Storage

Dropbox Acquires Boxcryptor Assets To Bring Zero-Knowledge Encryption To File Storage (techcrunch.com) 30

Dropbox has announced plans to bring end-to-end encryption to its business users, and it's doing so through acquiring "key assets" from Germany-based cloud security company Boxcryptor. Terms of the deal were not disclosed. From a report: Dropbox is well-known for its cloud-based file back-up and sharing services, and while it does offer encryption for files moving between its servers and the destination, Dropbox itself has access to the keys and can technically view any content passing through. What Boxcryptor brings to the table is an extra layer of security via so-called "zero knowledge" encryption on the client side, giving the user full control over who is allowed to decrypt their data.

For many people, such as consumers storing family photos or music files, this level of privacy might not be a major priority. But for SMEs and enterprises, end-to-end encryption is a big deal as it ensures that no intermediary can access their confidential documents stored in the cloud -- it's encrypted before it even arrives. Moving forward, Dropbox said that it plans to bake Boxcryptor's features natively into Dropbox for business users.

Bitcoin

Major Canadian Crypto Exchange Coinsquare Says Client Data Breached (coindesk.com) 19

Coinsquare, one of Canada's largest cryptocurrency exchanges, may have been breached, but the company claims customer assets are "secure in cold storage and are not at risk." CoinDesk reports: The exchange, which touts itself as "Canada's trusted platform to securely buy, sell and trade Bitcoin, Ethereum, and more," emailed customers Friday to report a "data incident" in which an unauthorized third party accessed a customer database containing personal information. According to the email, the breach exposed "customer names, email addresses, residential addresses, phone numbers, dates of birth, device IDs, public wallet addresses, transaction history, and account balances." Although the email was sent Friday, Coinsquare discovered the breach last week and notified customers via Twitter. "No passwords were exposed. We have no evidence any of this information was viewed by the bad actor," the email stated.

Coinsquare suspended activities on its platform after detecting the vulnerability last week, triggering speculation of possible liquidity issues, given the momentous implosion of multi-billion-dollar crypto exchange, FTX, earlier this month. Full service was restored on Friday, according to a tweet. "We want to reiterate that 100% of client funds are safely held in cold storage and are not used for business activities," the company tweeted.

Christmas Cheer

Free Software Foundation Publishes Its 2022 'Ethical Tech Giving Guide' (fsf.org) 16

For the last thirteen years the Free Software Foundation has published its Ethical Tech Giving Guide, notes a recent FSF blog post. "The right to determine what a device you've purchased does or doesn't do is something too valuable to lose."

Or, as they put it in the guide: It's time to reclaim our freedom from the abuse of multinational corporations, who use proprietary software and malicious "antifeatures" to keep us powerless, dependent, and surveilled by the devices that we use. There's no time at which it's more important to turn these unfortunate facts into positive action than the holiday season.

The gifts that we recommend here might not be making headlines, but they're the rare exception to the apparent rule that devices should mistreat their users.

For technical users, the guide recommends pairing the FSF-sponsored Replicant, a fully-free distribution of Android, with the F-Droid app repository, which has hundreds of applications including Syncthing, Tor, Minetest, and Termux.

They also praise the X200 laptop, "one of the few home user devices that's able to run fully free software from top to bottom." With easy-to-repair hardware, it's the laptop most frequently used in the FSF's own office — just one of several freedom-respecting devices from Vikings. And there's shout-outs to MNT's Reform laptop, products from PINE64 and Purism, plus a freedom-respecting VPN, and a mini wifi adapter .

The guide even recommends places to buy DRM-free ebooks, including No Starch Press, Smashwords, Leanpub, Standard Ebooks, Nantucket E-Books, Libreture (which also offers a storage solution). Meanwhile for print books, there's the Gnu Press Shop

And it also recommends sources for DRM-free music (including Bandcamp, Emusic, the Smithsonian Institute's Folkways, the classic punk label Dischord, HDTracks, and Mutopia).

And it also tells you where to find free (as in freedom) films...
Power

Europe's Biggest Battery Storage System Switched On (bbc.com) 160

What is thought to be Europe's biggest battery energy storage system has begun operating near Hull. The BBC reports: The site, said to be able to store enough electricity to power 300,000 homes for two hours, went online at Pillswood, Cottingham, on Monday. Its launch was brought forward four months as the UK faces possible energy shortages this winter. The facility was developed by North Yorkshire renewable power firm Harmony Energy using technology made by Tesla.

The Pillswood facility has the capacity to store up to 196 MWh energy in a single cycle. It has been built next to the National Grid's Creyke Beck substation, which will be connected to Dogger Bank, the world's largest offshore wind farm, when it launches in the North Sea later this decade. The system, which will use Tesla's AI software to match energy supply to demand, had been due to be switched on in two stages in December 2022 and March 2023.
Peter Kavanagh, director of Harmony Energy, said: "Battery energy storage systems are essential to unlocking the full potential of renewable energy in the UK and we hope this particular one highlights Yorkshire as a leader in green energy solutions."

"These projects are not supported by taxpayer subsidy and will play a major role in contributing to the Net Zero transition, as well as ensuring the future security of the UK's energy supply and reduced reliance on foreign gas imports."
Android

Android TV Will Require App Bundles In 2023, Should Reduce App Size By 20% (arstechnica.com) 14

An anonymous reader quotes a report from Ars Technica: Google announced that Android's space-saving app file format, Android App Bundles (AABs), will finally be the standard on Android TV. By May 2023 -- that's in six months -- Google will require all Android TV apps to switch to the new file format, which can cut down on app storage requirements by 20 percent.

Android App Bundles were announced with Android 9 in 2018 as a way to save device storage by breaking an app up into modules, rather than one big monolithic APK (the old Android app format) with every possible piece of data. Android apps support a ton of different languages, display resolutions, and CPU architectures, but each individual device only needs to cherry-pick a few of those options to work. Android App Bundles integrate with the Play Store to create a dynamic delivery system for each module. Your phone communicates which modules it needs to the Play Store, and Google's servers bundled up an appropriate package and sent it to your device. It's even possible for developers to move some lesser-used app functionality into a bundle that can be downloaded on the fly if a user needs it. [...]

Google says Android App Bundles average around a 20 percent space savings compared to a monolithic APK, which will be a huge help for these storage-starved devices. Since 2021, they have been the required standard for phones and tablets, and in six months, TV apps will be required to use them, too. Developers who don't switch in time will have their TV apps hidden from search, so they'd better get to work! Google estimates that "in most cases it will take one engineer about three days to migrate."

Cloud

iCloud For Windows Users Report of Corrupted Videos, Photos From Strangers (9to5mac.com) 25

There are ongoing issues apparently affecting the iCloud for Windows app, particularly in regards to photo and video storage. According to a number of online complaints from users, iCloud for Windows is corrupting certain videos. There are also reports of a more worrying problem: photos from strangers popping up in people's iCloud Photo library. 9to5Mac reports: MacRumors rounded up some of these complaints via complaints posted to their forums. According to an affected user, videos taken with the iPhone 13 Pro and iPhone 14 Pro models aren't being properly synced with iCloud for Windows. When certain videos are recorded and the synced with iCloud for Windows, they then turn "black with scan lines, rendering the videos unwatchable."

While that problem is bad enough, some other users say they are seeing photos and even videos they do not recognize in their photo libraries. The speculation here is that these photos or videos could be from other people's iCloud libraries, though nothing has been confirmed yet. [...] These problems appear to be affecting the dedicated iCloud for Windows app itself, not the recently-launched iCloud Photos integration in Windows 11. The culprit seems to be the handoff of certain file types between the iPhone and iCloud rendering on Windows. The problem certainly appears to be a server-side issue on Apple's side, rather than something on Microsoft's side.

Earth

Debate at COP27: Nuclear Energy, Climate Friend or Foe? (youtube.com) 273

Long-time Slashdot reader gordm shares an interesting video from the United Nations Climate Change Conference. "At COP27, Tobias Holle (activist with Youth Strike for Climate) debated Mark Nelson (founder of Radiant Energy Fund) as to whether nuclear power can help us tackle climate change."

The event took place at the International Atomic Energy Agency's "Atoms for Climate" pavillion, where the IAEA's climate advisor presented the debate's topic as "Nuclear Energy: Climate Friend or Foe?" (and introduced the two debaters as "enthusiastic young climate champions"). The Youth Strike for Climate activist objected to commiting humanity to 1 million years of maintaining nuclear waste. But he also argued that extreme weather was creating additional security risks, that the per-kilowatt hour cost was economically prohibitive, that nuclear plants were politically unpopular — and that anyways, they take too long to build given our current climate crisis. "We need fast solutions."

The Radiant Energy founder disagreed, arguing over specific statistics and insisting that nuclear energy should be considered a low-carbon energy solution, and also safe. (He pointed out that Chernobyl's nuclear plant actually continued operating for 14 years after its 1986 nuclear accident.) Interestingly he also argued that in the Netherlands there's a museum of nuclear waste — a science museum attached to their nuclear facility — "where they don't just have the high-level waste, they have the highest part of high-level waste, the most dangerous isotopes, separated from the nuclear fuel. The most radioactive stuff — very hot for 500 years — and they have a tour where you can walk over it, and you can feel the warmth from the floor from the radioactive isotopes....

"You can absolutely manage the safe, secure, and even educational storage of the most radioactive isotopes... We know very well how to manage it."
Open Source

The Creator of Homebrew's Plan To Get Open Source Contributors Paid - Using Blockchain (stackoverflow.blog) 44

The creator of the Linux/macOS package manager Homebrew has a new package manager named Tea. But according to Stack Overflow's podcast, the software also "aims to solve the problem of providing funding for popular open source projects." While he is not a crypto bull, Max was inspired with a solution for the open source funding dilemma by his efforts to buy and sell an NFT. A contract written in code and shared in public enforced a rule sending a portion of his proceeds to the digital objects original creator. What if the same funding mechanism could be applied to open source projects? In March of 2022, Max and his co-founder launched Tea, a sort of spirtual successor to Homebrew. It has a lot of new features Max wanted in a package manager, plus a blockchain based approach to ensuring that creators, maintainers, and contributors of open source software can all get paid for their efforts.

You can read Max's launch post on Tea here and yes, of course there is a white paper.

The paper describes the proposed solution as "a decentralized system for fairly remunerating open-source developers based on their contributions to the entire ecosystem and enacted through the tea incentive algorithm applied across all entries in the tea registry." And the launch post calls tea "our revolution against a failing system," arguing "We're taking our knowledge of how to make development more efficient and throwing innovations nobody has ever really considered before.

"Package managers haven't been sexy. Until now. Most importantly, we're moving the package registry on-chain (relax, we'll use a low-energy proof of stake chain). This has numerous benefits due to the inherent benefits of blockchain technology." For starters, decentralized storage will make the packages always-available and immutable, signed by maintainers themselves. But there's more: web3 has enabled novel new ways to distribute value, and with our system people who care about the health of the open source ecosystem buy some token and stake it. Periodically, we reward this staking because it is securing our token network. We give a portion of these rewards to the staker and a portion to packages of their choice along with all the dependencies of those packages.

Note that no portion goes to us. We're not like the other app stores.... tea is the home to a DAO that will ensure the open source maintainers that keep the Internet running are rewarded as they deserve.

An introduction to the white paper adds that in the spirit of the open source movement, "we're inviting developers, speculators, and enthusiasts alike to contribute to our white paper and help brew the future of the internet. This is our revolutionary undertaking to create equitable openâsource for web3, and we want you to be a part of laying its groundwork."

Thanks to guest reader for submitting the story.
Earth

Earth Now Weighs Six Ronnagrams: New Metric Prefixes Voted In (phys.org) 81

An anonymous reader quotes a report from Phys.Org: Say hello to ronnagrams and quettameters: International scientists gathered in France voted on Friday for new metric prefixes to express the world's largest and smallest measurements, prompted by an ever-growing amount of data. It marks the first time in more than three decades that new prefixes have been added to the International System of Units (SI), the agreed global standard for the metric system. Joining the ranks of well-known prefixes like kilo and milli are ronna and quetta for the largest numbers -- and ronto and quecto for the smallest.

The change was voted on by scientists and government representatives from across the world attending the 27th General Conference on Weights and Measures, which governs the SI and meets roughly every four years at Versailles Palace, west of Paris. The prefixes make it easier to express large amounts -- for example, always referring to a kilometer as 1,000 meters or a millimeter as one thousandth of a meter would quickly become cumbersome. Since the SI was established in 1960, scientific need has led to a growing number of prefixes. The last time was in 1991, when chemists wanting to express vast molecular quantities spurred the addition of zetta and yotta.

The new prefixes can simplify how we talk about some pretty big objects. "If we think about mass, instead of distance, the Earth weighs approximately six ronnagrams," which is a six followed by 27 zeroes, [sad Richard Brown, the head of metrology at the UK's National Physical Laboratory]. "Jupiter, that's about two quettagrams," he added -- a two followed by 30 zeros. Brown said he had the idea for the update when he saw media reports using unsanctioned prefixes for data storage such as brontobytes and hellabytes. Google in particular has been using hella for bytes since 2010. "Those were terms that were unofficially in circulation, so it was clear that the SI had to do something," he said.

Bitcoin

FTX Owes Money To More Than a Million People, Court Filing Suggests (vice.com) 91

The embattled and now bankrupt cryptocurrency exchange FTX may owe more than a million people money, according to a Tuesday court filing (PDF). Motherboard reports: "The events that have befallen FTX over the past week are unprecedented. Barely more than a week ago, FTX, led by its co-founder Sam Bankman-Fried, was regarded as one of the most respected and innovative companies in the crypto industry," the filing notes. "FTX faced a severe liquidity crisis that necessitated the filing of these [bankruptcy] cases on an emergency basis last Friday. Questions arose about Mr. Bankman-Fried's leadership and the handling of FTX's complex array of assets and businesses under his direction."

The filing goes on to state that, originally, it was thought that there were "over one hundred thousand creditors in these Chapter 11 Cases." It then states that, "in fact, there could be more than one million creditors," meaning that FTX could owe money to more than a million people, the vast majority of whom are customers and former customers. The filing is an attempt to consolidate and simplify the bankruptcy process; as noted in an earlier filing, FTX operated a highly complex corporate structure with dozens of companies, each of which filed for bankruptcy separately last week. The fate of customers' money is still up-in-the-air as FTX halted withdrawals last week.
According to the Wall Street Journal, FTX founder Sam Bankman-Fried thinks he can raise enough money to make users whole. "Mr. Bankman-Fried, alongside a few remaining employees, spent the past weekend calling around in search of commitments from investors to plug a shortfall of up to $8 billion in the hopes of repaying FTX's customers," WSJ reports. "The efforts to cover that shortfall have so far been unsuccessful."
Star Wars Prequels

Seagate Announces Dual-Actuator MACH.2 Drive - and Star Wars, Black Panther Themed Drives (seagate.com) 47

An anonymous reader writes that Seagate Technology has launched its second generation dual actuator MACH.2 series hard drives. "Computing power, storage capacities, and storage performance: all must continue moving forward in order for technology innovators to solve humanity's greatest challenges," boasts Seagate's page for the drives: MACH.2 is the world's first multi-actuator hard drive technology, containing two independent actuators that transfer data concurrently. MACH.2 solves the need for increased performance by enabling parallelism of data flows in and out of a single hard drive. By allowing the data center host computer to request and receive data from two areas of the drive simultaneously, MACH.2 doubles the IOPS performance of each individual hard drive.... MACH.2 provides up to 2x performance — with two independent actuators and data paths, it enables concurrent I/O streams to and from the host.
Seagate claims it offers "optimal latency" by improving sequential peformance to double data transfer rates over single-actuator drives.

And in other news, Seagate is selling hard drives with commemorative Star Wars themes, including the Mandalorian drive, the Grogu drive, and the Boba Fett drive. (It's in addition to Seagate's officially licensed external drive for God of War Ragnarök — optimised for PS4 and PS5, delivering "the ability to play PS4 games directly from the drive.") Seagate also made drives commemorating Marvel's Avengers and Spider-Man, and now has new drives for Marvel's Black Panther: Wakanda Forever .
Encryption

Introducing Shufflecake: Plausible Deniability For Multiple Hidden Filesystems on Linux (kudelskisecurity.com) 90

Thursday the Kudelski Group's cybersecurity division released "a tool for Linux that allows creation of multiple hidden volumes on a storage device in such a way that it is very difficult, even under forensic inspection, to prove the existence of such volumes."

"Each volume is encrypted with a different secret key, scrambled across the empty space of an underlying existing storage medium, and indistinguishable from random noise when not decrypted." Even if the presence of the Shufflecake software itself cannot be hidden — and hence the presence of secret volumes is suspected — the number of volumes is also hidden. This allows a user to create a hierarchy of plausible deniability, where "most hidden" secret volumes are buried under "less hidden" decoy volumes, whose passwords can be surrendered under pressure. In other words, a user can plausibly "lie" to a coercive adversary about the existence of hidden data, by providing a password that unlocks "decoy" data.

Every volume can be managed independently as a virtual block device, i.e. partitioned, formatted with any filesystem of choice, and mounted and dismounted like a normal disc. The whole system is very fast, with only a minor slowdown in I/O throughput compared to a bare LUKS-encrypted disk, and with negligible waste of memory and disc space.

You can consider Shufflecake a "spiritual successor" of tools such as Truecrypt and Veracrypt, but vastly improved. First of all, it works natively on Linux, it supports any filesystem of choice, and can manage up to 15 nested volumes per device, so to make deniability of the existence of these partitions really plausible.

"The reason why this is important versus "simple" disc encryption is best illustrated in the famous XKCD comic 538," quips Slashdot reader Gaglia (in the original submission. But the big announcement from Kudelski Security Research calls it "a tool aimed at helping people whose freedom of expression is threatened by repressive authorities or dangerous criminal organizations, in particular: whistleblowers, investigative journalists, and activists for human rights in oppressive regimes.

"Shufflecake is FLOSS (Free/Libre, Open Source Software). Source code in C is available and released under the GNU General Public License v3.0 or superior.... The current release is still a non-production-ready prototype, so we advise against using it for really sensitive operations. However, we believe that future work will sensibly improve both security and performance, hopefully offering a really useful tool to people who live in constant danger of being interrogated with coercive methods to reveal sensitive information.
Power

California Regulators Propose Cutting Compensation For Rooftop Solar (nytimes.com) 178

An anonymous reader quotes a report from the New York Times: For a second time in less than a year, regulators in California moved on Thursday to roll back the compensation that homeowners receive from utilities for the excess electricity their rooftop solar panels send to the electric grid -- payments that power companies and some consumer groups have argued hurt poor and low-income households. The new proposal from the California Public Utilities Commission would cut the benefit for almost all new rooftop solar customers by about 75 percent starting in April. Under current rules, households that send excess power to the grid receive credits on their utility bills that are equivalent to retail electricity rates. The system of credits is known as net energy metering. The measure, which will be subject to public comment before the commission's five members vote on it, would also limit solar systems to 150 percent of a building's electricity load.

Regulators in other states are closely watching how California changes its net metering program. Utilities and solar energy companies have been fighting over energy credits in numerous states. Billions of dollars in investment and revenue are potentially at stake. More generous credits typically encourage people to buy solar panels but can cut into the profits of utilities. California leads the nation by far in the use of rooftop solar, with about 1.5 million such installations. The utilities commission estimates that those systems have the collective capacity to generate 12 gigawatts of electricity, or the equivalent of 12 nuclear power plants.

In a statement, the commission said the new proposal would make net metering more equitable. Average residential customers of Pacific Gas and Electric, Southern California Edison and San Diego Gas & Electric who install solar panels would save $100 a month on their electricity bill, and average residential customers installing solar paired with battery storage would save at least $136 a month, the commission stated. As a result of those savings, it said, the average household that installs a new solar or solar and battery system would be able to fully pay off the system in nine years or less. Compensation would not change for homeowners who already had rooftop solar panels, for at least 20 years from when their system was installed.
"As rooftop solar systems have spread over the last decade, the utility industry has criticized use of the technology and called net metering an unjust subsidy," adds the report. "Utilities argue that rooftop solar homes that greatly reduce or zero out their monthly electric bills are effectively forcing households without panels to bear more of the cost of maintaining the electric grid. But the solar industry has argued that net metering is needed to encourage use of rooftop solar and reduce the emissions responsible for climate change."
Microsoft

Microsoft's DirectStorage 1.1 Arrives To Boost PC Game Load Times With GPU Decompression (theverge.com) 36

Microsoft is releasing DirectStorage 1.1 this week, and the biggest new addition is GPU decompression for Windows PC games. The Verge reports: GPU decompression works by offloading the work needed to decompress assets in games to the graphics card instead of the CPU. Right now, game assets are typically compressed when they are packaged up for distribution and then decompressed once a game is played. The problem is most compression techniques are designed for CPUs, which aren't great for modern games that want to push for faster decompression rates with the latest PC hardware.

We've seen the industry move to PCIe Gen3 or Gen4 NVMe storage devices in recent years, offering 7GB/s of data bandwidth. This fast storage is great news for game developers wanting to speed up load times, and the advances in I/O technology can dramatically speed up load times and games using DirectStorage 1.1. Developers will now need to tweak their games to make use of DirectStorage 1.1, and the improvements could even see big changes inside games where you move from one world to another or teleport between different parts of a map or world. Microsoft claims this can be as much as three times faster, freeing up the CPU to handle other game processes. [...] All we need now is game support.

Slashdot Top Deals