An anonymous reader shared this report from BleepingComputer: Researchers have demonstrated the "first native Spectre v2 exploit" for a new speculative execution side-channel flaw that impacts Linux systems running on many modern Intel processors. Spectre V2 is a new variant of the original Spectre attack discovered by a team of researchers at the VUSec group from VU Amsterdam. The researchers also released a tool that uses symbolic execution to identify exploitable code segments within the Linux kernel to help with mitigation.

The new finding underscores the challenges in balancing performance optimization with security, which makes addressing fundamental CPU flaws complicated even six years after the discovery of the original Spectre....

As the CERT Coordination Center (CERT/CC) disclosed yesterday, the new flaw, tracked as CVE-2024-2201, allows unauthenticated attackers to read arbitrary memory data by leveraging speculative execution, bypassing present security mechanisms designed to isolate privilege levels. "An unauthenticated attacker can exploit this vulnerability to leak privileged memory from the CPU by speculatively jumping to a chosen gadget," reads the CERT/CC announcement. "Current research shows that existing mitigation techniques of disabling privileged eBPF and enabling (Fine)IBT are insufficient in stopping BHI exploitation against the kernel/hypervisor."
"For a complete list of impacted Intel processors to the various speculative execution side-channel flaws, check this page updated by the vendor."

From the Washington Post: The U.S. government said Thursday that Russian government hackers who recently stole Microsoft corporate emails had obtained passwords and other secret material that might allow them to breach multiple U.S. agencies.

The Cybersecurity and Infrastructure Security Agency, an arm of the Department of Homeland Security, on Tuesday issued a rare binding directive to an undisclosed number of agencies requiring them to change any log-ins that were taken and investigate what else might be at risk. The directive was made public Thursday, after recipients had begun shoring up their defenses. The "successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies," CISA wrote. "This Emergency Directive requires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure."
"CISA officials told reporters it is so far unclear whether the hackers, associated with Russian military intelligence agency SVR, had obtained anything from the exposed agencies," according to the article. And the article adds that CISA "did not spell out the extent of any risks to national interests."

But the agency's executive assistant director for cybersecurity did tell the newspaper that "the potential for exposure of federal authentication credentials...does pose an exigent risk to the federal enterprise, hence the need for this directive and the actions therein." Microsoft's Windows operating system, Outlook email and other software are used throughout the U.S. government, giving the Redmond, Washington-based company enormous responsibility for the cybersecurity of federal employees and their work. But the longtime relationship is showing increasing signs of strain.... [T]he breach is one of a few severe intrusions at the company that have exposed many others elsewhere to potential hacking. Another of those incidents — in which Chinese government hackers cracked security in Microsoft's cloud software offerings to steal email from State Department and Commerce Department officials — triggered a major federal review that last week called on the company to overhaul its culture, which the Cyber Safety Review Board cited as allowing a "cascade of avoidable errors."

O'Reilly's "Tech Trends" newsletter included an interesting item this month: Want your own Klein Bottle? Made by Cliff Stoll, author of the cybersecurity classic The Cuckoo's Egg, who will autograph your bottle for you (and may include other surprises).
First described in 1882 by the mathematician Felix Klein, a Klein bottle (like a Mobius strip) has a one-side surface. ("Need a zero-volume bottle...?" asks Stoll's web site. "Want the ultimate in non-orientability...? A mathematician's delight, handcrafted in glass.")

But how the legendary cyberbreach detective started the company is explained in this 2016 article from a U.C. Berkeley alumni magazine. Its headline? "How a Berkeley Eccentric Beat the Russians — and Then Made Useless, Wondrous Objects." The reward for his cloak-and-dagger wizardry? A certificate of appreciation from the CIA, which is stashed somewhere in his attic... Stoll published a best-selling book, The Cuckoo's Egg, about his investigation. PBS followed it with a NOVA episode entitled "The KGB, the Computer, and Me," a docudrama starring Stoll playing himself and stepping through the "fourth wall" to double as narrator. Stoll had stepped through another wall, as well, into the numinous realm of fame, as the burgeoning tech world went wild with adulation... He was more famous than he ever could have dreamed, and he hated it. "After a few months, you realize how thin fame is, and how shallow. I'm not a software jockey; I'm an astronomer. But all people cared about was my computing."

Stoll's disenchantment also arose from what he perceived as the false religion of the Internet... Stoll articulated his disenchantment in his next book, Silicon Snake Oil, published in 1995, which urged readers to get out from behind their computer screens and get a life. "I was asking what I thought were reasonable questions: Is the electronic classroom an improvement? Does a computer help a student learn? Yes, but what it teaches you is to go to the computer whenever you have a question, rather than relying on yourself. Suppose I was an evil person and wanted to eliminate the curiosity of children. Give the kid a diet of Google, and pretty soon the child learns that every question he has is answered instantly. The coolest thing about being human is to learn, but you don't learn things by looking it up; you learn by figuring it out." It was not a popular message in the rise of the dot-com era, as Stoll soon learned...

Being a Voice in the Wilderness doesn't pay well, however, and by this time Stoll had taken his own advice and gotten a life; namely, marrying and having two children. So he looked around for a way to make some money. That ushered in his third — and current — career as President and Chief Bottle Washer of the aforementioned Acme Klein Bottle company... At first, Stoll had a hard time finding someone to make Klein bottles. He tried a bong peddler on Telegraph Avenue, but the guy took Cliff's money and disappeared. "I realized that the trouble with bong makers is that they're also bong users."

Then in 1994, two friends of his, Tom Adams and George Chittenden, opened a shop in West Berkeley that made glassware for science labs. "They needed help with their computer program and wanted to pay me," Stoll recalls. "I said, 'Nah, let's make Klein bottles instead.' And that's how Acme Klein Bottles was born."
UPDATE: Turns out Stoll is also a long-time Slashdot reader, and shared comments this weekend on everything from watching the eclipse to his VIP parking pass for CIA headquarters and "this CIA guy's rubber-stamp collection."

"I am honored by the attention and kindness of fellow nerds and online friends," Stoll added Saturday. "When I first started on that chase in 1986, I had no idea wrhere it would lead me... To all my friends: May you burdens be light and your purpose high. Stay curious!"

The Linux Foundation-backed project OpenTofu "has gotten legal pushback from HashiCorp," according to a report — just seven months after forking OpenTofu's code from HashiCorp's IT deployment software Terraform: On April 3, HashiCorp issued a strongly-worded Cease and Desist letter to OpenTofu, accusing that the project has "repeatedly taken code HashiCorp provided only under the Business Software License (BSL) and used it in a manner that violates those license terms and HashiCorp's intellectual property rights." It goes on to note that "In at least some instances, OpenTofu has incorrectly re-labeled HashiCorp's code to make it appear as if it was made available by HashiCorp originally under a different license." Last August, HashiCorp announced that it would be transitioning its software from the open source Mozilla Public License (MPL 2.0) to the Business Source License (BSL), a license that permits the source to be viewed, but not run in production environments without explicit approval by the license owner. HashiCorp gave OpenTofu until April 10 to remove any allegedly copied code from the OpenTofu repository, threatening litigation if the project fails to do so.
Others are also covering the fracas, including Steven J. Vaughan-Nichols at DevOps.com: OpenTofu replied, "The OpenTofu team vehemently disagrees with any suggestion that it misappropriated, mis-sourced, or otherwise misused HashiCorp's BSL code. All such statements have zero basis in facts." In addition, it said, HashiCorp's claims of copyright infringement are completely unsubstantiated. As for the code in question, OpenTofu claims it can clearly be shown to have been copied from older code under the Mozilla Public License (MPL) 2.0. "HashiCorp seems to have copied the same code itself when they implemented their version of this feature. All of this is easily visible in our detailed SCO analysis, as well as their own comments."

In a detailed source code origination (SCO) examination of the problematic source code, OpenTofu stated that HashiCorp was mistaken. "We believe that this is just a case of a misunderstanding where the code came from." OpenTofu maintains the code was originally licensed under the MPL, not the BSL. If so, then OpenTofu was perfectly within its right to use the code in its codebase...

[OpenTofu's lawyer] concluded, "In the future, if you should have any concerns or questions about how source code in OpenTofu is developed, we would ask that you contact us first. Immediately issuing DMCA takedown notices and igniting salacious negative press articles is not the most helpful path to resolving concerns like this."

Adobe has begun to procure videos to build its AI text-to-video generator, trying to catch up to competitors after OpenAI demonstrated a similar technology. From a report: The software company is offering its network of photographers and artists $120 to submit videos of people engaged in everyday actions such as walking or expressing emotions including joy and anger, according to documents seen by Bloomberg. The goal is to source assets for artificial intelligence training, the company wrote.

Over the past year, Adobe has focused on adding generative AI features to its portfolio of software for creative professionals, including Photoshop and Illustrator. [...] Adobe is requesting more than 100 short clips of people engaged in actions and showing emotions as well as simple anatomy shots of feet, hands or eyes. The company also wants video of people "interacting with objects" such as smartphones or fitness equipment. It cautions against providing copyrighted material, nudity or other "offensive content." Pay for the submission works out, on average, to about $2.62 per minute of submitted video, although it could be as much as about $7.25 per minute.

HP "sought to take advantage of customers' sunk costs," printer owners claimed this week in a class action lawsuit against the hardware giant. The Register: Lawyers representing the aggrieved were responding in an Illinois court to an earlier HP motion to dismiss a January lawsuit. Among other things, the plaintiffs' filing stated that the printer buyers "never entered into any contractual agreement to buy only HP-branded ink prior to receiving the firmware updates." They allege HP broke several anti-competitive statutes, which they claim: "bar tying schemes, and certain uses of software to accomplish that without permission, that would monopolize an aftermarket for replacement ink cartridges, when these results are achieved in a way that 'take[s] advantage of customers' sunk costs.'"

In the case, which began in January, the plaintiffs are arguing that HP issued a firmware update between late 2022 and early 2023 that they allege disabled their printers if they installed a replacement cartridge that was not HP-branded. They are asking for damages that include the cost of now-useless third-party cartridges and an injunction to disable the part of the firmware updates that prevent the use of third-party ink.

An anonymous reader quotes a report from Ars Technica: Hardware sold for years by the likes of Intel and Lenovo contains a remotely exploitable vulnerability that will never be fixed. The cause: a supply chain snafu involving an open source software package and hardware from multiple manufacturers that directly or indirectly incorporated it into their products. Researchers from security firm Binarly have confirmed that the lapse has resulted in Intel, Lenovo, and Supermicro shipping server hardware that contains a vulnerability that can be exploited to reveal security-critical information. The researchers, however, went on to warn that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected.

BMCs are tiny computers soldered into the motherboard of servers that allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of servers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system -- even when it's turned off. BMCs provide what's known in the industry as "lights-out" system management. AMI and AETN are two of several makers of BMCs. For years, BMCs from multiple manufacturers have incorporated vulnerable versions of open source software known as lighttpd. Lighttpd is a fast, lightweight web server that's compatible with various hardware and software platforms. It's used in all kinds of wares, including in embedded devices like BMCs, to allow remote administrators to control servers remotely with HTTP requests. [...] "All these years, [the lighttpd vulnerability] was present inside the firmware and nobody cared to update one of the third-party components used to build this firmware image," Binarly researchers wrote Thursday. "This is another perfect example of inconsistencies in the firmware supply chain. A very outdated third-party component present in the latest version of firmware, creating additional risk for end users. Are there more systems that use the vulnerable version of lighttpd across the industry?"

The vulnerability makes it possible for hackers to identify memory addresses responsible for handling key functions. Operating systems take pains to randomize and conceal these locations so they can't be used in software exploits. By chaining an exploit for the lighttpd vulnerability with a separate vulnerability, hackers could defeat this standard protection, which is known as address space layout randomization. The chaining of two or more exploits has become a common feature of hacking attacks these days as software makers continue to add anti-exploitation protections to their code. Tracking the supply chain for multiple BMCs used in multiple server hardware is difficult. So far, Binarly has identified AMI's MegaRAC BMC as one of the vulnerable BMCs. The security firm has confirmed that the AMI BMC is contained in the Intel Server System M70KLP hardware. Information about BMCs from ATEN or hardware from Lenovo and Supermicro aren't available at the moment. The vulnerability is present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51. "A potential attacker can exploit this vulnerability in order to read memory of Lighttpd Web Server process," Binarly researchers wrote in an advisory. "This may lead to sensitive data exfiltration, such as memory addresses, which can be used to bypass security mechanisms such as ASLR." Advisories are available here, here, and here.

Microsoft has started showing full screen warnings about the upcoming end of support date on Windows 10 PCs. From a report: Users on Reddit have reported seeing the prompt, which began appearing after this week's Patch Tuesday updates were installed, and encourages the user to learn more about how they can transition to Windows 11. Windows 10's end of support date is currently set for October 14, 2025. After that date, Windows 10 users will no longer receive critical security and bug fix updates, leaving any Windows 10 PC connected to the internet vulnerable to any newly discovered security exploits. The full screen prompt that is now appearing on some Windows 10 PCs thanks the user for their loyalty using Windows 10, and warns that this end of life (EOL) date is approaching. It also wastes no time advertising Windows 11, encouraging the user to learn more about how they can transition to a new Windows 11 PC. Notably, there's no button to tell the prompt to never show again.

Liam Proven reports via The Register: Bad news for those who want to play with OpenVMS in non-production use. Older versions are disappearing, and the terms are getting much more restrictive. The corporation behind the continued development of OpenVMS, VMS Software, Inc. -- or VSI to its friends, if it has any left after this -- has announced the latest Updates to the Community Program. The news does not look good: you can't get the Alpha and Itanium versions any more, only a limited x86-64 edition.

OpenVMS is one of the granddaddies of big serious OSes. A direct descendant of the OSes that inspired DOS, CP/M, OS/2, and Windows, as well as the native OS of the hardware on which Unix first went 32-bit, VMS has been around for nearly half a century. For decades, its various owners have offered various flavors of "hobbyist program" under which you could get licenses to install and run it for free, as long as it wasn't in production use. Since Compaq acquired DEC, then HP acquired Compaq, its prospects looked checkered. HP officially killed it off in 2013, then in 2014 granted it a reprieve and sold it off instead. New owner VSI ported it to x86-64, releasing that new version 9.2 in 2022. Around this time last year, we covered VSI adding AMD support and opening a hobbyist program of its own. It seems from the latest announcement that it has been disappointed by the reception: "Despite our initial aspirations for robust community engagement, the reality has fallen short of our expectations. The level of participation in activities such as contributing open source software, creating wiki articles, and providing assistance on forums has not matched the scale of the program. As a result, we find ourselves at a crossroads, compelled to reassess and recalibrate our approach."

Although HPE stopped offering hobbyist licenses for the original VAX versions of OpenVMS in 2020, VSI continued to maintain OpenVMS 8 (in other words, the Alpha and Itanium editions) while it worked on version 9 for x86-64. VSI even offered a Student Edition, which included a freeware Alpha emulator and a copy of OpenVMS 8.4 to run inside it. Those licenses run out in 2025, and they won't be renewed. If you have vintage DEC Alpha or HP Integrity boxes with Itanic chips, you won't be able to get a legal licensed copy of OpenVMS for them, or renew the license of any existing installations -- unless you pay, of course. There will still be a Community license edition, but from now on it's x86-64 only. Although OpenVMS 9 mainly targets hypervisors anyway, it does support bare-metal operations on a single model of HPE server, the ProLiant DL380 Gen10. If you have one of them to play with -- well, tough. Now Community users only get a VM image, supplied as a VMWare .vmdk file. It contains a ready-to-go "OpenVMS system disk with OpenVMS, compilers and development tools installed." Its license runs for a year, after which you will get a fresh copy. This means you won't be able to configure your own system and keep it alive -- you'll have to recreate it, from scratch, annually. The only alternative for those with older systems is to apply to be an OpenVMS Ambassador.

A bill introduced in the US Congress on Tuesday intends to force AI companies to reveal the copyrighted material they use to make their generative AI models. From a report: The legislation adds to a growing number of attempts from lawmakers, news outlets and artists to establish how AI firms use creative works like songs, visual art, books and movies to train their software-and whether those companies are illegally building their tools off copyrighted content.

The California Democratic congressman Adam Schiff introduced the bill, the Generative AI Copyright Disclosure Act, which would require that AI companies submit any copyrighted works in their training datasets to the Register of Copyrights before releasing new generative AI systems, which create text, images, music or video in response to users' prompts. The bill would need companies to file such documents at least 30 days before publicly debuting their AI tools, or face a financial penalty. Such datasets encompass billions of lines of text and images or millions of hours of music and movies.

"AI has the disruptive potential of changing our economy, our political system, and our day-to-day lives. We must balance the immense potential of AI with the crucial need for ethical guidelines and protections," Schiff said in a statement. Whether major AI companies worth billions have made illegal use of copyrighted works is increasingly the source of litigation and government investigation. Schiff's bill would not ban AI from training on copyrighted material, but would put a sizable onus on companies to list the massive swath of works that they use to build tools like ChatGPT -- data that is usually kept private.

An anonymous reader quotes a report from Reuters: Independent browser companies in the European Union are seeing a spike in users in the first month after EU legislation forced Alphabet's Google, Microsoft and Apple to make it easier for users to switch to rivals, according to data provided to Reuters by six companies. The early results come after the EU's sweeping Digital Markets Act, which aims to remove unfair competition, took effect on March 7, forcing big tech companies to offer mobile users the ability to select from a list of available web browsers from a "choice screen." [...]

Cyprus-based Aloha Browser said users in the EU jumped 250% in March -- one of the first companies to give monthly growth numbers since the new regulations came in. Founded in 2016, Aloha, which markets itself as a privacy focused alternative to browsers owned by big tech, has 10 million monthly average users and earns money through paid subscriptions, rather than selling ads by tracking users. "Before, EU was our number four market, right now it's number two," Aloha CEO Andrew Frost Moroz said in an interview. Norway's Vivaldi, Germany's Ecosia and U.S.-based Brave have also seen user numbers rise following the new regulation. U.S.-based DuckDuckGo, which has about 100 million users, and its bigger rival, Norway-based Opera (OPRA.O), opens new tab are also seeing growth in users, but said the choice screen rollout is still not complete. "We are experiencing record user numbers in the EU right now," said Jan Standal, vice president at Opera, which counts over 324 million global users.

Under the new EU rules, mobile software makers are required to show a choice screen where users can select a browser, search engine and virtual assistant as they set up their phones. Previously, tech companies such as Apple and Google loaded phones with default settings that included their preferred services, such as the voice assistant Siri for iPhones. Changing these settings required a more complicated process. Apple is now showing up to 11 browsers in addition to Safari in the choice screens curated for each of the 27 countries in the EU, and will update those screens once every year for each country. While DuckDuckGo and Opera are offered in Apple's list, opens new tab in all 27 countries, Aloha is in 26 countries, Ecosia is in 13 and Vivaldi in 8. Google is currently showing browser choices on devices made by the company and said new devices made by other companies running Android operating system will also display choice screen in the coming months. A Google spokesperson said they do not have data on choice screens to share yet.

Intel on Tuesday unveiled its new "Gaudi 3" AI chip that the company claims is over twice as power-efficient and can run AI models one-and-a-half times faster than Nvidia's H100 GPU. "It also comes in different configurations like a bundle of eight Gaudi 3 chips on one motherboard or a card that can slot into existing systems," adds CNBC. From the report: Intel tested the chip on models like Meta's open-source Llama and the Abu Dhabi-backed Falcon. It said Gaudi 3 can help train or deploy models, including Stable Diffusion or OpenAI's Whisper model for speech recognition. Intel says its chips use less power than Nvidia's. Intel said that the new Gaudi 3 chips would be available to customers in the third quarter, and companies including Dell, Hewlett Packard Enterprise, and Supermicro will build systems with the chips. Intel didn't provide a price range for Gaudi 3.

Gaudi 3 is built on a five nanometer process, a relatively recent manufacturing technique, suggesting that the company is using an outside foundry to manufacture the chips. In addition to designing Gaudi 3, Intel also plans to manufacture AI chips, potentially for outside companies, at a new Ohio factory expected to open in 2027 or 2028, CEO Patrick Gelsinger told reporters last month. "We do expect it to be highly competitive" with Nvidia's latest chips, said Das Kamhout, vice president of Xeon software at Intel, on a call with reporters. "From our competitive pricing, our distinctive open integrated network on chip, we're using industry-standard Ethernet. We believe it's a strong offering."

It's the world's most widely used vulnerability database, reports SC Magazine, offering standards-based data on CVSS severity scores, impacted software and platforms, contributing weaknesses, and links to patches and additional resources.

But "there is a growing backlog of vulnerabilities" submitted to America's National Vulnerability Database and "requiring analysis", according to a new announcement from the U.S. Commerce Department's National Institute of Standards. "This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support." From SC Magazine: According to NIST's website, the institute analyzed only 199 of 3370 CVEs it received last month. [And this month another 677 came in — of which 24 have been analyzed.]

Other than a short notice advising it was working to establish a new consortium to improve the NVD, NIST had not provided a public explanation for the problems prior to a statement published [April 2]... "Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well."

NIST, which had its budget cut by almost 12% this year by lawmakers, said it was committed to continuing to support and manage the NVD, which it described as "a key piece of the nation's cybersecurity infrastructure... We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government and other stakeholder organizations that can collaborate on research to improve the NVD," the statement said. "We will provide more information as these plans develop..."

A group of cybersecurity professionals have signed an open letter to Congress and Commerce Secretary Gina Raimondo in which they say the enrichment issue is the result of a recent 20% cut in NVD funding.
The article also cites remarks from NVD program manager Tanya Brewer (reported by Infosecurity Magazine) from last week's VulnCon conference on plans to establish a NVD consortium. "We're not going to shut down the NVD; we're in the process of fixing the current problem. And then, we're going to make the NVD robust again and we'll make it grow."

Thanks to Slashdot reader spatwei for sharing the article.

The foundations behind Rust, Python, Apache, Eclipse, PHP, OpenSSL, and Blender announced plans to create "common specifications for secure software development," based on "existing open source best practices."

From the Eclipse Foundation: This collaborative effort will be hosted at the Brussels-based Eclipse Foundation [an international non-profit association] under the auspices of the Eclipse Foundation Specification Process and a new working group... Other code-hosting open source foundations, SMEs, industry players, and researchers are invited to join in as well.

The starting point for this highly technical standardisation effort will be today's existing security policies and procedures of the respective open source foundations, and similar documents describing best practices.

The governance of the working group will follow the Eclipse Foundation's usual member-led model but will be augmented by explicit representation from the open source community to ensure diversity and balance in decision-making. The deliverables will consist of one or more process specifications made available under a liberal specification copyright licence and a royalty-free patent licence... While open source communities and foundations generally adhere to and have historically established industry best practices around security, their approaches often lack alignment and comprehensive documentation.

The open source community and the broader software industry now share a common challenge: legislation has introduced an urgent need for cybersecurity process standards.
The Apache Foundation notes the working group is forming partly "to demonstrate our commitment to cooperation with and implementation of" the EU's Cyber Resilience Act. But the Eclipse Foundation adds that even before it goes into effect in 2027, they're recognizing open source software's "increasingly vital role in modern society" and an increasing need for reliability, safety, and security, so new regulations like the CRA "underscore the urgency for secure by design and robust supply chain security standards."

Their announcement adds that "It is also important to note that it is similarly necessary that these standards be developed in a manner that also includes the requirements of proprietary software development, large enterprises, vertical industries, and small and medium enterprises." But at the same time, "Today's global software infrastructure is over 80% open source... [W]hen we discuss the 'software supply chain,' we are primarily, but not exclusively, referring to open source."

"We invite you to join our collaborative effort to create specifications for secure open source development," their announcement concludes," promising initiative updates on a new mailing list. "Contribute your ideas and participate in the magic that unfolds when open source foundations, SMEs, industry leaders, and researchers combine forces to tackle big challenges."

The Python Foundation's announcement calls it a "community-driven initiative" that will have "a lasting impact on the future of cybersecurity and our shared open source communities."

"The San Francisco Giants are one of four teams in Major League Baseball this season offering fans a free shortcut through the gates into the ballpark," writes SFGate.

"The cost? Signing up for the league's 'facial authentication' software through its ticketing app." The Giants are using MLB's new Go-Ahead Entry program, which intends to cut down on wait times for fans entering games. The pitch is simple: Take a selfie through the MLB Ballpark app (which already has your tickets on it), upload the selfie and, once you're approved, breeze through the ticketing lines and into the ballpark. Fans will barely have to slow down at the entrance gate on their way to their seats...

The Philadelphia Phillies were MLB's test team for the technology in 2023. They're joined by the Giants, Nationals and Astros in 2024...

[Major League Baseball] says it won't be saving or storing pictures of faces in a database — and it clearly would really like you to not call this technology facial recognition. "This is not the type of facial recognition that's scanning a crowd and specifically looking for certain kinds of people," Karri Zaremba, a senior vice president at MLB, told ESPN. "It's facial authentication. ... That's the only way in which it's being utilized."
Privacy advocates "have pointed out that the creep of facial recognition technology may be something to be wary of," the article acknowledges. But it adds that using the technology is still completely optional.

And they also spoke to the San Francisco Giants' senior vice president of ticket sales, who gushed about the possibility of app users "walking into the ballpark without taking your phone out, or all four of us taking our phones out."

In Communication of the ACM, Google's VP of Education notes how calculators impacted math education — and wonders whether generative AI will have the same impact on CS education: Teachers had to find the right amount of long-hand arithmetic and mathematical problem solving for students to do, in order for them to have the "number sense" to be successful later in algebra and calculus. Too much focus on calculators diminished number sense. We have a similar situation in determining the 'code sense' required for students to be successful in this new realm of automated software engineering. It will take a few iterations to understand exactly what kind of praxis students need in this new era of LLMs to develop sufficient code sense, but now is the time to experiment."
Long-time Slashdot reader theodp notes it's not the first time the Google executive has had to consider "iterating" curriculum: The CACM article echoes earlier comments Google's Education VP made in a featured talk called The Future of Computational Thinking at last year's Blockly Summit. (Blockly is the Google technology that powers drag-and-drop coding IDE's used for K-12 CS education, including Scratch and Code.org). Envisioning a world where AI generates code and humans proofread it, Johnson explained: "One can imagine a future where these generative coding systems become so reliable, so capable, and so secure that the amount of time doing low-level coding really decreases for both students and for professionals. So, we see a shift with students to focus more on reading and understanding and assessing generated code and less about actually writing it. [...] I don't anticipate that the need for understanding code is going to go away entirely right away [...] I think there will still be at least in the near term a need to understand read and understand code so that you can assess the reliabilities, the correctness of generated code. So, I think in the near term there's still going to be a need for that." In the following Q&A, Johnson is caught by surprise when asked whether there will even be a need for Blockly at all in the AI-driven world as described — and the Google VP concedes there may not be.

AMD plans to document and open source its Micro Engine Scheduler (MES) firmware for GPUs, giving users more control over Radeon graphics cards. From a report: It's part of a larger effort AMD confirmed earlier this week about making its GPUs more open source at both a software level in respect to the ROCm stack for GPU programming and a hardware level. Details were scarce with this initial announcement, and the only concrete thing it introduced was a GitHub tracker.

However, yesterday AMD divulged more details, specifying that one of the things it would be making open source was the MES firmware for Radeon GPUs. AMD says it will be publishing documentation for MES around the end of May, and will then release the source code some time afterward. For one George Hotz and his startup, Tiny Corp, this is great news. Throughout March, Hotz had agitated for AMD to make MES open source in order to fix issues he was experiencing with his RX 7900 XTX-powered AI server box. He had talked several times to AMD representatives, and even the company's CEO, Lisa Su.

Matthew Connatser reports via The Register: An ASIC designed to display the infamous Rickroll meme is here, alongside 164 other assorted functions. The project is a product of Matthew Venn's Zero to ASIC Course, which offers prospective chip engineers the chance to "learn to design your own ASIC and get it fabricated." Since 2020, Zero to ASIC has accepted several designs that are incorporated into a single chip called a multi-project wafer (MPW), a cost-saving measure as making one chip for one design would be prohibitively expensive. Zero to ASIC has two series of chips: MPW and Tiny Tapeout. The MPW series usually includes just a handful of designs, such as the four on MPW8 submitted in January 2023. By contrast, the original Tiny Tapeout chip included 152 designs, and Tiny Tapeout 2 (which arrived last October) had 165, though could bumped up to 250. Of the 165 designs, one in particular may strike a chord: Design 145, or the Secret File, made by engineer and YouTuber Bitluni. His Secret File design for the Tiny Tapeout ASIC is designed to play a small part of Rick Astley's music video for Never Gonna Give You Up, also known as the Rickroll meme.

Bitluni was a late inclusion on the Tiny Tapeout 2 project, having been invited just three days before the submission deadline. He initially just made a persistence-of-vision controller, which was revised twice for a total of three designs. "At the end, I still had a few hours left, and I thought maybe I should also upload a meme project," Bitluni says in his video documenting his ASIC journey. His meme of choice was of course the Rickroll. One might even call it an Easter egg. However, given that there were 250 total plots for each design, there wasn't a ton of room for both the graphics processor and the file it was supposed to render, a short GIF of the music video. Ultimately, this had to be shrunk from 217 kilobytes to less than half a kilobyte, making its output look similar to games on the Atari 2600 from 1977. Accessing the Rickroll rendering processor and other designs isn't simple. Bitluni created a custom circuit board to mount the Tiny Tapeout 2 chip, creating a device that could then be plugged into a motherboard capable of selecting specific designs on the ASIC. Unfortunately for Bitluni, his first PCB had a design error on it that he had to correct, but the revised version worked and was able to display the Rickroll GIF in hardware via a VGA port.

After six months of work, DRM developer Maurice Heumann successfully cracked Hogwarts Legacy's Denuvo DRM protection system to learn more about the technology. According to Tom's Hardware, he's "left plenty of the details of his work vague so as not to promote illegal cracking." From the report: Heumann reveals in his blog post that Denuvo utilizes several different methods to ensure that Hogwarts Legacy is being run under appropriate (legal) conditions. First, the DRM creates a "fingerprint" of the game owner's system, and a Steam Ticket is used to prove game ownership. The Steam ticket is sent to the Steam servers to ensure the game was legitimately purchased. Heumann notes that he doesn't technically know what the Steam servers are doing but says this assumption should be accurate enough to understand how Denuvo works.

Once the Steam ticket is verified, a Denuovo Token is generated that only works on a PC with the exact fingerprint. This token is used to decrypt certain values when the game is running, enabling the system to run the game. In addition, the game will use the fingerprint to periodically verify security while the game is running, making Denuvo super difficult to hack.

After six months, Heumann was able to figure out how to hijack Hogwart Legacy's Denuvo fingerprint and use it to run the game on another machine. He used the Qiling reverse engineering framework to identify most of the fingerprint triggers, which took him two months. There was a third trigger that he says he only discovered by accident. By the end, he was able to hack most of the Denuvo DRM with ~2,000 of his own patches and hooks, and get the game running on his laptop using the token generated from his desktop PC. Heumann ran a bunch of tests to determine if performance was impacted, but he wasn't able to get a definitive answer. "He discovered that the amount of Denuvo code executed in-game is quite infrequent, with calls occurring once every few seconds, or during level loads," reports Tom's Hardware. "This suggests that Denuvo is not killing performance, contrary to popular belief."

The Document Foundation: Following a successful pilot project, the northern German federal state of Schleswig-Holstein has decided to move from Microsoft Windows and Microsoft Office to Linux and LibreOffice (and other free and open source software) on the 30,000 PCs used in the local government. As reported on the homepage of the Minister-President: "Independent, sustainable, secure: Schleswig-Holstein will be a digital pioneer region and the first German state to introduce a digitally sovereign IT workplace in its state administration. With a cabinet decision to introduce the open-source software LibreOffice as the standard office solution across the board, the government has given the go-ahead for the first step towards complete digital sovereignty in the state, with further steps to follow."