Yahoo!

Yahoo Cybersecurity Team Sees Layoffs, Outsourcing of 'Red Team,' Under New CTO (techcrunch.com) 12

Yahoo laid off around 25% of its cybersecurity team -- known as The Paranoids -- over the last year, TechCrunch has learned. From the report: Overall, the company has laid off or lost through attrition 40 to 50 people from a total of 200 employees in the cybersecurity team since the start of 2024, according to multiple current and former Yahoo employees who spoke to TechCrunch on condition of anonymity. (Yahoo is TechCrunch's parent company.)

The Paranoids are not the only team affected by the layoffs. Valeri Liborski, who was appointed Yahoo's chief technology officer in September, sent an email this week to employees announcing changes across the broader technology unit, including enterprise productivity and core services. The email to staff, which was obtained by TechCrunch, said: "This was a very difficult decision and one I have not taken lightly."

The Paranoids' so-called red team, or offensive security team -- which conducts cyberattack simulations to identify weaknesses in the company's network before external hackers can -- was eliminated entirely this week, and there have been at least three rounds of layoffs impacting the cybersecurity team this year, according to the sources.

Security

Researchers Uncover Chinese Spyware Used To Target Android Devices (techcrunch.com) 34

Security researchers have uncovered a new surveillance tool that they say has been used by Chinese law enforcement to collect sensitive information from Android devices in China. From a report: The tool, named "EagleMsgSpy," was discovered by researchers at U.S. cybersecurity firm Lookout. The company said at the Black Hat Europe conference on Wednesday that it had acquired several variants of the spyware, which it says has been operational since "at least 2017."

Kristina Balaam, a senior intelligence researcher at Lookout, told TechCrunch the spyware has been used by "many" public security bureaus in mainland China to collect "extensive" information from mobile devices. This includes call logs, contacts, GPS coordinates, bookmarks, and messages from third-party apps including Telegram and WhatsApp. EagleMsgSpy is also capable of initiating screen recordings on smartphones, and can capture audio recordings of the device while in use, according to research Lookout shared with TechCrunch.

A manual obtained by Lookout describes the app as a "comprehensive mobile phone judicial monitoring product" that can obtain "real-time mobile phone information of suspects through network control without the suspect's knowledge, monitor all mobile phone activities of criminals and summarize them."

China

China's Trillion-Dollar Bet on High-Speed Rail Transformation (msn.com) 138

China's high-speed rail network, which has tripled to nearly 30,000 miles under President Xi Jinping's leadership, faces mounting financial challenges amid aggressive expansion plans. China State Railway Group, the national operator, has accumulated nearly $1 trillion in debt and liabilities, requiring $25 billion annually for debt service.

Despite this, plans call for adding 15,000 more miles by 2035. While flagship routes between major cities like Beijing and Shanghai remain profitable, newer lines into rural regions are struggling with low ridership. In Sichuan province's Fushun County, which received high-speed rail service in 2021, stations built for thousands sit largely empty despite having 12 high-speed rail stops within a 40-mile radius.

The expansion has become a symbol of China's technological advancement but raises concerns about economic viability. Ticket prices are maintained at about one-quarter of global averages to ensure public access, limiting profit potential. The railway operator turned a modest $460 million profit in 2023, aided by government subsidies, after three years of losses during the pandemic.
Transportation

'Solar Paint' Being Developed By Mercedes-Benz Could Revolutionize EV Charging (mbusa.com) 222

"Mercedes-Benz is researching a new type of solar modules that could be seamlessly applied to the bodywork of electric vehicles," according to a recent Mercedes-Benz press release.

They describe the 5-micrometer coating as "similar to a wafer-thin layer of paste... significantly thinner than a human hair" — but creating an active photovoltaic surface with an efficiency of 20%. An area of 118.4 square feet (equivalent to the surface of a mid-size SUV) could produce energy for up to 7,456 miles per year under ideal conditions [based on daylight conditions from their testing in Stuttgart]. The energy generated by the solar cells is used for driving or fed directly into the high-voltage battery...

Solar paint has a high level of efficiency and contains no rare earths or silicon — only non-toxic, readily available raw materials. It is easy to recycle and considerably cheaper to produce than conventional solar modules. The Mercedes-Benz research department is currently working to enable use of the new solar paint on all exterior vehicle surfaces — regardless of shape or angle.

Solar paint could power 62% of the travel for a typical Stuttgart driver, their announcement notes. But in a sunnier city like Los Angeles, "It could be used for 100% of their driving, on average." (And "the surplus of energy could be fed directly into the home network via bidirectional charging.")

Mercedes-Benz researchers "initially thought the tech had limited scope for mass production," reports EV Central, "until experiments were carried out with prototypes coated with the paint in real-world scenarios. Instead of just coating the roof and bonnet to form a 1.8-square-metre surface area, one scientist suggested covering an entire car with the new solar paint, ramping up the surface area to more than 11m2. Another difference to the [Mercedes-Benz 2022 Vision EQXX concept] is instead of wiring the body panels to the 12-volt system, scientists hardwired the body panels to the Benz's high-voltage battery and the performance of the paint was well beyond expectations... Available in all colours, engineers admit the solar paint work best in darker shades. When it's launched, the tech should be as durable as regular paint. The photovoltaic surface is protected by at least two protective lacquer finishes to ensure it isn't damaged in daily use.
Mercedes-Benz says the solar paint could mean "increased electric range and fewer charging stops." And this is significant, because "Electric vehicle charging and infrastructure are two major obstacles to EV adoption on a mass scale," writes Autoblog — arguing that Mercedes-Benz "may have a solution... " Alternative methods of energy harnessing could help alleviate range anxiety, increase an EV's driving distance, and reduce charging costs across the board. Not only that but considering the cost of producing Mercedes' solar coating and the lack of rare earth metals, it could be the leading solution to charging concerns... While the German automaker says the solar paint isn't ready for production on a mass scale, research, and development are progressing at a steady rate. If all goes well, we'll hopefully see solar coating as an accessory EV charging solution within the next decade.
Thanks to long-time Slashdot reader schwit1 for sharing the news.
China

America's Phone Networks Could Soon Face Financial - and Criminal - Penalties for Insecure Networks (msn.com) 55

The head of America's FCC "has drafted plans to regulate the cybersecurity of telecommunications companies," reports the Washington Post, and the plans could include financial penalties phone network operators with insufficient security — "the first time the agency has asserted such powers under federal wiretapping law." Rosenworcel said the FCC's authority in this matter comes from Section 105 of the Communications Assistance for Law Enforcement Act [passed in 1994] — a single sentence that stipulates, without elaboration, that telecommunications carriers should ensure systems security "in accordance with regulations prescribed by the Commission." As one of the measures, she is seeking to require network providers to submit an annual certification to the FCC that they are implementing a cybersecurity risk management plan. In addition to imposing fines, the FCC could coordinate with other agencies to pursue criminal penalties against carriers deemed too careless on cybersecurity...

Biden administration officials said voluntary efforts to protect against aggressive Chinese hacking activity have fallen short. "We've had for the last decade voluntary public-private partnership efforts," Neuberger told The Post in a recent interview. "But we continue to see successful breaches, and in many cases, as with ransomware attacks, we continue to see pretty basic cybersecurity practices not being followed." With China's hackers becoming more brazen, pre-positioning themselves in U.S. critical networks, "we need to lock our digital doors," Neuberger said...

Cyber requirements can make a difference, she said. After the Colonial Pipeline ransomware attack in 2021 shut down one of the nation's largest energy pipelines for several days, creating a national security scare, the Transportation Security Administration issued several security directives, and today, all of the country's several dozen critical pipeline companies are in compliance, she said. Similar directives were subsequently issued for rail and aviation sectors, and the compliance rates in those industries are now at 68 and 57 percent respectively, she said.

The Internet

Is Europe Better Prepared to Protect Undersea Internet Cables? (carnegieendowment.org) 64

The Carnegie Endowment for Peace, a nonpartisan international affairs think tank, points out that when subsea internet cables were cut in November, Europe was more prepared: Where in the past there were no contingency plans for sabotage, there are now more maritime patrols, an attempt to forge deeper intelligence connections, and the beginnings of a new relationship with the private sector...

Even before the October 2023 incident, NATO, the EU, and certain European governments began to increase their efforts to boost subsea cable resilience and security. In February 2023, NATO stood up a new Critical Undersea Infrastructure Coordination Cell in Brussels to convene stakeholders and enhance coordination between the public and private sectors. In July 2023, NATO allies at the Vilnius Summit established a Maritime Center for the Security of Critical Undersea Infrastructure as part of the alliance's Maritime Command in Northwood, UK. In October 2023, after the first incident, NATO defense ministers endorsed a new Digital Ocean Vision, an initiative aimed at improving undersea surveillance. And in February 2024, the European Commission released its first "Recommendation on Secure and Resilient Submarine Cable Infrastructures," encouraging member states to conduct regular stress tests, improve information sharing amongst themselves, and improve cable maintenance and repair capabilities.

The article points out that the Chinese ship suspected in the 2023 cable cutting "ignored requests from Finnish and Estonian authorities to halt" and returned to China. But the Chinese ship suspected in November's cable-cutting "remains in international waters in the Kattegat, with naval and coast guard vessels from Denmark, Germany, and Sweden circling close by." Yet "Under international maritime law, these countries' authorities are not allowed to board..." Current provisions of international law are neither formulated to adequately protect subsea data cables from sabotage nor hold perpetrators accountable. This reality should lead the EU, as a body inherently focused on the resilience of international legal regimes, to push for updates that are better suited for the current geopolitical reality... Lawmakers should also explore ways to increase penalties for subsea cable damage, in part to deter acts of sabotage in the first place....

A forthcoming Carnegie Endowment report will detail more in-depth recommendations on how Europe can both protect itself against future subsea cable damage and help expand trusted networks around the world.

The article also notes that "Of the hundreds of disruptions to cables that occur each year, the vast majority are caused by accidental human activity, like fishing, or natural events, like earthquakes."
Crime

Founder of Cryptocurrency Lender 'Celsius Network' Pleads Guilty to Fraud (reuters.com) 16

59-year-old Alex Mashinsky, the founder/former CEO of cryptocurrency lender Celsius Network, "pleaded guilty on Tuesday to two counts of fraud," reports Reuters.

He'd been indicted in July on seven counts of fraud, conspiracy and market manipulation charges, according to the article, and federal prosecutors in Manhattan "said he misled customers of Celsius to persuade them to invest, and artificially inflated the value of his company's proprietary crypto token." On Tuesday, during a hearing before U.S. District Judge John Koeltl, Mashinsky said he pleaded guilty to two out of the seven counts he was initially charged with: commodities fraud, and a fraudulent scheme to manipulate the price of CEL, Celsius' in-house token. In court, Mashinsky admitted to giving Celsius customers "false comfort" by giving an interview in 2021 in which he said Celsius had received approval from regulators for its "Earn" program, which it had not. That program offered to deploy customers' cryptocurrency assets to yield investment returns. He said he also failed to disclose that he had been selling his holdings of CEL, the platform's in-house token.

"I know what I did was wrong, and I want to try to do whatever I can to make it right," Mashinsky said. As part of his plea deal with prosecutors, Mashinsky agreed not to appeal any sentence of 30 years or less — the maximum he faces for the two counts. Koeltl is set to sentence him on April 8, 2025.

Federal prosecutors in Manhattan have said Mashinsky also personally reaped approximately $42 million in proceeds from selling his holdings of the Cel token. "Mashinsky made tens of millions of dollars selling his own CEL at artificially high prices, while his customers were left holding the bag when the company went bankrupt," Damian Williams, the U.S. Attorney in Manhattan, said in a statement on Tuesday... Founded in 2017, Celsius filed for Chapter 11 bankruptcy protection in July 2022 after customers rushed to withdraw deposits as crypto prices fell. Many were initially unable to access their funds... Celsius' former chief revenue officer, Roni Cohen-Pavon, pleaded guilty in September 2023 and agreed to cooperate with prosecutors' investigation.

"The company exited bankruptcy on Jan. 31, and has pivoted to Bitcoin mining..."
Transportation

Hyundai Has Best Month Ever in U.S. Electric SUV Sales Suddenly Double (electrek.co) 263

Hyundai "just had its best sales month ever in the U.S.," reports Electrek Hyundai's impressive EV lineup is charging up demand, with its best-selling Hyundai IONIQ 5 SUV also setting a new U.S. record after sales more than doubled in November. With 76,008 vehicles sold in November, Hyundai's record-breaking U.S. sales streak is not slowing down. Hyundai Motor America CEO Randy Parker credited the growing demand for EVs and hybrid vehicles to the growth.

Hyundai's EV sales rose 77% from last year, while hybrid sales surged 104%. Electrified retail sales (EV, PHEV, and hybrid models) climbed 92% in total last month. Several vehicles, including the Santa Fe HEV, Tucson PHEV, Tucson HEV, and IONIQ 5, had their best-ever sales month.

The article also notes increasing sales for Hyundai's electric SUV, the IONIQ 5. Starting at $43,975 — and recently upgraded to a range of 245 miles (or 318 miles for the $46,550 extended-range model) — it features an NACS port for accessing Tesla's Supercharger network.
United States

Telcos Struggle To Boot Chinese Hackers From Networks (axios.com) 49

China-linked spies are still lurking inside U.S. telecommunications networks roughly six months after American officials started investigating the intrusions, senior officials told reporters Tuesday. From a report: This is the first time U.S. officials have confirmed reports that Salt Typhoon hackers still have access to critical infrastructure -- and they're proving difficult to kick out. Officials added that they don't yet know the full scope of the intrusions, despite starting the investigation in late spring.

The Cybersecurity and Infrastructure Security Agency and FBI released guidance Tuesday for the communications sector to harden their networks against Chinese state-sponsored hackers. The guide includes basic steps like maintaining logs of activity on the network, keeping an inventory of all devices in the telecom's environment and changing any default equipment passwords. The hack has given Salt Typhoon unprecedented access to records from U.S. telecommunications networks about who Americans are communicating with, a senior FBI official told reporters during a briefing.

Intel

Intel CEO Gelsinger Exits as Chip Pioneer's Turnaround Falters (reuters.com) 78

Intel CEO Pat Gelsinger has stepped down amid the company's continued struggles against rivals, with shares losing over half their value this year. The chipmaker announced Monday that Chief Financial Officer David Zinsner and Executive Vice President Michelle Johnston Holthaus will serve as interim co-CEOs while the board searches for a permanent replacement.

Gelsinger, 63, was hired in 2021 to lead an ambitious turnaround aimed at reclaiming Intel's technological edge from competitors like Taiwan Semiconductor Manufacturing Co. His strategy included expanding Intel's factory network with new facilities in Ohio and transforming the company into a contract manufacturer for other firms. The plan faced significant headwinds as Nvidia dominated the AI chip market, with cloud computing companies increasingly favoring Nvidia's processors for AI development over Intel's Gaudi line.

Intel's challenges culminated in an August earnings report showing a surprise loss, leading to dividend suspension and plans to cut over 15% of its 110,000-person workforce. Board Chairman Frank Yeary, now serving as interim executive chair, emphasized the need to prioritize Intel's product group to meet customer demands. The leadership change also impacts the Biden administration's semiconductor industry initiatives, as Intel was set to receive the largest grant under the $39 billion Chips Act program.

Multiple news outlets including Bloomberg and Reuters report that Gelsinger was forced out by the board because "directors felt Gelsinger's costly and ambitious plan to turn Intel around was not working and the progress of change was not fast enough."
Power

Utilities Are Trying Enormous 'Flow' Batteries Big Enough to Oust Coal Power Plants (yahoo.com) 143

To help replace power plants, Japan's northernmost island, Hokkaido, "is turning to a new generation of batteries designed to stockpile massive amounts of energy," reports the Washington Post.

"The Hokkaido Electric Power Network (HEPCO Network) is deploying flow batteries, an emerging kind of battery that stores energy in hulking tanks of metallic liquid." [F]low batteries are making their debut in big real-world projects. Sumitomo Electric, the company that built the Hokkaido plant, has also built flow batteries in Taiwan, Belgium, Australia, Morocco and California. Hokkaido's flow battery farm was the biggest in the world when it opened in April 2022 — a record that lasted just a month before China built one that is eight times bigger and can deliver as much energy as an average U.S. natural gas plant. "It looks like flow batteries are finally about to take off with interest from China," said Michael Taylor, an energy analyst at the International Renewable Energy Agency, an international group that studies and promotes green energy. "When China starts to get comfortable with a technology and sees it working, then they will very quickly scale their manufacturing base if they think they can drive down the costs, which they usually can...."

Lithium-ion batteries are perfect for smartphones because they're lightweight and fit in small spaces, even if they don't last long and have to be replaced frequently. Utilities have a different set of priorities: They need to store millions of times more energy, and they have much more room to work with. "If you think about utility-scale stationary applications, maybe you don't need lithium-ion batteries. You can use another one that is cheaper and can provide the services that you want like, for example, vanadium flow batteries," said Francisco Boshell, a researcher at the International Renewable Energy Agency...

Flow batteries are designed to tap giant tanks that can store a lot of energy for a long time. To boost their storage capacity, all you have to do is build a bigger tank and add more vanadium. That's a big advantage: By contrast, there's no easy way to adjust the storage capacity of a lithium-ion battery — if you want more storage, you have to build a whole new battery... One major barrier to building more of these battery farms is finding enough vanadium. Three-quarters of the world's supply comes as a by-product from 10 steel mills in China and Russia, according to Kara Rodby [a battery analyst at the investment firm Volta Energy Technologies] who got her PhD at the Massachusetts Institute of Technology studying the design and market for flow batteries. Australia, South Africa and the United States also produce vanadium, but in much smaller quantities. Mines that have been proposed could boost supply. And some flow battery start-ups are trying to sidestep the vanadium problem entirely by using different materials that are easier to buy.

The other hurdle is their up-front cost. Vanadium flow batteries are at least twice as expensive to build as lithium-ion batteries, Rodby said, and banks are hesitant to lend money to fund an unfamiliar technology. But experts say flow batteries can be cheaper in the long run because they're easier to maintain and last longer. A lithium-ion battery might have to be replaced after 10 years, but Rodby says flow batteries can last much longer. "There really is no finite lifetime for a flow battery in the way there is for lithium-ion," Rodby said.

Here's an interesting statistic from the article. "Over the next six years, utilities will have to build 35 times as many batteries as there are today to soak up all extra renewable energy that will come online, according to the International Energy Agency."
Networking

OpenWRT One Released: First Router Designed Specifically For OpenWrt (sfconservancy.org) 62

Friday the Software Freedom Conservancy announced the production release of the new OpenWrt One network router — designed specifically for running the Linux-based router OS OpenWrt (a member project of the SFC). "This is the first wireless Internet router designed and built with your software freedom and right to repair in mind.

"The OpenWrt One will never be locked down and is forever unbrickable." This device services your needs as its owner and user. Everyone deserves control of their computing. The OpenWrt One takes a great first step toward bringing software rights to your home: you can control your own network with the software of your choice, and ensure your right to change, modify, and repair it as you like.

The OpenWrt One demonstrates what's possible when hardware designers and manufacturers prioritize your software right to repair; OpenWrt One exuberantly follows these requirements of the copyleft licenses of Linux and other GPL'd programs. This device provides the fully copyleft-compliant source code release from the start. Device owners have all the rights as intended on Day 1; device owners are encouraged to take full advantage of these rights to improve and repair the software on their OpenWrt One. Priced at US$89 for a complete OpenWrt One with case (or US$68.42 for a caseless One's logic board), it's ready for a wide variety of use cases...

This new product has completed full FCC compliance tests; it's confirmed that OpenWrt met all of the FCC compliance requirements. Industry "conventional wisdom" often argues that FCC requirements somehow conflict with the software right to repair. SFC has long argued that's pure FUD. We at SFC and OpenWrt have now proved copyleft compliance, the software right to repair, and FCC requirements are all attainable in one product!

You can order an OpenWrt One now! Since today is the traditional day in the USA when folks buy gifts for love ones, we urge you to invest in a wireless router that can last! We do expect that for orders placed today, sellers will deliver by December 22 in most countries... Regardless of where you buy from, for every purchase of a new OpenWrt One, a US$10 donation will go to the OpenWrt earmarked fund at Software Freedom Conservancy. Your purchase not only improves your software right to repair, but also helps OpenWrt and SFC continue to improve the important software and software freedom on which we all rely!

LWN.net points out that OpenWrt has also "served as the base on which a lot of network-oriented development (including the bufferbloat-reduction work) has been done." The OpenWrt One was designed to be a functional network router that would serve as a useful tool for the development of OpenWrt itself. To that end, the hope was to create a device that was entirely supported by upstream free software, and which was as unbrickable as it could be... The OpenWrt One comes with a two-core Arm Cortex-A53 processor, 1GB of RAM, and 256MB of NAND flash memory. There is also a separate, read-only 16MB NOR flash array in the device. Normally, the OpenWrt One will boot and run from the NAND flash, but there is a small switch in the back that will cause it to boot from the NOR instead. This is a bricking-resistance feature; should a software load break the device, it can be recovered by booting from NOR and flashing a new image into the NAND array. ..

After booting into the new image, the One behaved like any other OpenWrt router... What could be more interesting is seeing this router get into the hands of developers and enthusiasts who will use it to make OpenWrt (and other small-system distributions) better.

Long-time Slashdot reader dumfrac writes: The intent to build the device was announced on the OpenWRT forums earlier this year. It is based on MediaTek MT7981B (Filogic 820) SoC and MediaTek MT7976C dual-band WiFi 6 chipset and the board is made by Banana Pi. A poll to select the logo was run in April on the OpenWRT forums, and now the hardware is available for purchase. .
Network

Ship's Crew Suspected of Deliberately Dragging Anchor for 100 Miles To Cut Baltic Cables (msn.com) 167

SpzToid writes: A Chinese commercial vessel that has been surrounded by European warships in international waters for a week is central to an investigation of suspected sabotage that threatens to test the limits of maritime law -- and heighten tensions between Beijing and European capitals.

Investigators suspect that the crew of the Yi Peng 3 bulk carrier -- 225 meters long, 32 meters wide and loaded with Russian fertilizer -- deliberately severed two critical data cables last week as its anchor was dragged along the Baltic seabed for over 100 miles.

Their probe now centers on whether the captain of the Chinese-owned ship, which departed the Russian Baltic port of Ust-Luga on Nov. 15, was induced by Russian intelligence to carry out the sabotage. It would be the latest in a series of attacks on Europe's critical infrastructure that law-enforcement and intelligence officials say have been orchestrated by Russia.

Network

Meta Plans $10 Billion Global 'Mother of All' Subsea Cables 63

Meta plans to build a $10 billion private, "mother of all" undersea fiber-optic cable network spanning over 40,000 kilometers around the world, according to TechCrunch. The project, dubbed "W" for its shape, would run from the U.S. east coast to the west coast via India, South Africa and Australia, avoiding regions prone to cable sabotage including the Red Sea and South China Sea.

The social media giant, which co-owns 16 existing cable networks, aims to gain full control over traffic prioritization for its services. The project mirrors Google's strategy of private cable ownership. The construction could take 5-10 years to complete.
Communications

FCC Approves T-Mobile, SpaceX License To Extend Coverage To Dead Zones 43

The FCC said it has approved a license for T-Mobile and SpaceX's Starlink to provide supplemental coverage to cover internet dead zones. Reuters reports: The license marks the first time the FCC has authorized a satellite operator collaborating with a wireless carrier to provide supplemental telecommunications coverage from space on some flexible-use spectrum bands allocated to terrestrial service. The partnership aims to extend the reach of wireless networks to remote areas and eliminate "dead zones."

T-Mobile and SpaceX announced a partnership in 2022 and in January the first set of satellites supporting the partnership was launched into low-Earth orbit with SpaceX's Falcon 9 rocket. "The FCC is actively promoting competition in the space economy by supporting more partnerships between terrestrial mobile carriers and satellite operators to deliver on a single network future that will put an end to mobile dead zones," said FCC Chair Jessica Rosenworcel.
Moon

Earth's 'Mini Moon' May Have Been a Chunk of Our Actual Moon (apnews.com) 32

An asteroid named 2024 PT5, recently exhibiting "mini moon" behavior around Earth, may have been a boulder that was blasted off the moon by an impacting, crater-forming asteroid," reports the Associated Press. The 33-foot space rock is expected to pass safely near Earth in January, when it will be closely observed. From the report: While not technically a moon -- NASA stresses it was never captured by Earth's gravity and fully in orbit -- it's "an interesting object" worthy of study. The astrophysicist brothers who identified the asteroid's "mini moon behavior," Raul and Carlos de la Fuente Marcos of Complutense University of Madrid, have collaborated with telescopes in the Canary Islands for hundreds of observations so far.

Currently more than 2 million miles (3.5 million kilometers) away, the object is too small and faint to see without a powerful telescope. It will pass as close as 1.1 million miles (1.8 million kilometers) of Earth in January, maintaining a safe distance before it zooms farther into the solar system while orbiting the sun, not to return until 2055. That's almost five times farther than the moon. [...] NASA will track the asteroid for more than a week in January using the Goldstone solar system radar antenna in California's Mojave Desert, part of the Deep Space Network.

IT

QNAP NAS Users Locked Out After Firmware Update Snafu (theregister.com) 46

A firmware update has left QNAP network-attached storage device owners unable to access their systems, with standard reset procedures failing to resolve the issue.

The problematic update, QTS 5.2.2.2950 build 20241114, was released last week before being partially withdrawn, according to user reports on QNAP's community forums. QNAP, the Taiwan-based storage manufacturer, has not specified which models are affected by the faulty firmware.
Network

Thousands of Palo Alto Networks Firewalls Compromised This Week After Critical Security Hole (theregister.com) 28

Palo Alto Networks boasts 70,000 customers in 150 countries, including 85% of the Fortune 500.

But this week "thousands of Palo Alto Networks firewalls were compromised by attackers exploiting two recently patched security bug," reports the Register: The intruders were able to deploy web-accessible backdoors to remotely control the equipment as well as cryptocurrency miners and other malware. Roughly 2,000 devices had been hijacked as of Wednesday — a day after Palo Alto Networks pushed a patch for the holes — according to Shadowserver and Onyphe. As of Thursday, the number of seemingly compromised devices had dropped to about 800. The vendor, however, continues to talk only of a "limited number" of exploited installations... The Register has asked for clarification, including how many compromised devices Palo Alto Networks is aware of, and will update this story if and when we hear back from the vendor.

Rumors started swirling last week about a critical security hole in Palo Alto Networks appliances that allowed remote unauthenticated attackers to execute arbitrary code on devices. Exploitation requires access to the PAN-OS management interface, either across the internet or via an internal network. The manufacturer did eventually admit that the firewall-busting vulnerability existed, and had been exploited as a zero-day — but it was still working on a patch. On Tuesday, PAN issued a fix, and at that time said there were actually two vulnerabilities. The first is a critical (9.3 CVSS) authentication bypass flaw tracked as CVE-2024-0012. The second, a medium-severity (6.9 CVSS) privilege escalation bug tracked as CVE-2024-9474. The two can be chained together to allow remote code execution (RCE) against the PAN-OS management interface... once the attackers break in, they are using this access to deploy web shells, Sliver implants, and/or crypto miners, according to Wiz threat researchers.

Security

Craigslist Founder Gives $300M to Fund Critical US Infrastructure Cybersecurity (yahoo.com) 16

Craig Newmark "is alarmed about potential cybersecurity risks in the U.S.," according to Yahoo Finance. The 71-year-old Craigslist founder says "our country is under attack now" in a new interview with Yahoo Finance executive editor Brian Sozzi on his Opening Bid podcast.

But Newmark also revealed what he's doing about it: [H]e started Craig Newmark Philanthropies to primarily invest in projects to protect critical American infrastructure from cyberattacks. He told Sozzi he is now spending $200 million more to address the issue, on top of an initial $100 million pledge revealed in September of this year. He encouraged other wealthy people to join him in the fight against cyberattacks. "I tell people, 'Hey, the people who protect us could use some help. The amounts of money comparatively are small, so why not help out,'" he said... The need for municipalities and other government entities to act rather than react remains paramount, warns Newmark. "I think a lot about this," said Newmark.

"I've started to fund networks of smart volunteers who can help people protect infrastructure, particularly [for] the small companies and utilities across the country who are responsible for most of our electrical and power supplies, transportation infrastructure, [and] food distribution.... A lot of these systems have no protection, so an adversary could just compromise them, saying unless you do what we need, we can start shutting off these things," he continued. Should that happen, recovery "could take weeks and weeks without your water supply or electricity."

A web page at Craig Newmark Philanthropies offers more details Craig was part of the whole "duck and cover" thing, in the 50s and 60s, and realizes that we need civil defense in the cyber domain, "cyber civil defense." This is patriotism, for regular people.

He's committed $100 million to form a Cyber Civil Defense network of groups who are starting to protect the country from cyber threats. Attacks on our power grids, our cyber infrastructure and even the internet-connected gadgets and appliances in our homes are real. If people think that's alarmist, tell them to "Blame Craig." The core of Cyber Civil Defense [launched in 2022] includes groups like Aspen Digital, Global Cyber Alliance, and Consumer Reports, focusing on citizen cyber education and literacy, cyber tool development, and cybersecurity workforce programs aimed at diversifying the growing field.

It's already made significant investments in groups like the Ransomware Task Force and threat watchdog group Shadowserver Foundation...
Windows

Microsoft's Controversial 'Recall' Feature is Already Experiencing Some Issues (cnbc.com) 73

Microsoft's controversial "Recall" feature (in a public preview of Windows 11) already has some known issues, Microsoft admitted Friday. For example:

- Recall can be enabled or disabled from "Turn Windows features on or off". We are caching the Recall binaries on disk while we test add/remove. In a future update we will completely remove the binaries.

- You must have Secure Boot enabled for Recall to save snapshots.

- Some users experience a delay before snapshots first appear in the timeline while using their device. If snapshots do not appear after 5 minutes, reboot your device. If saving snapshots is enabled, but you see snapshots are no longer being saved, reboot your device.

- Clicking links within Recall to submit feedback may experience a delay in loading the Feedback Hub application. Be patient and it will display.

CNBC adds that according to Microsoft Recall "won't work with some accessibility programs, and if you specify that Recall shouldn't save content from a given website, it might get captured anyway while using the built-in Edge browser..." But those aren't the only issues CNBC noticed: - While you might expect that your computer will be recording every last thing you look at once you've turned on Recall, it can go several minutes between making snapshots, leaving gaps in the timeline.

- Recall allows you to prevent screenshots from being made when you're accessing specific apps. But a few apps installed on my Surface Pro are not shown on that list.

- When you enter a search string to find words, results might be incomplete or incorrect. Recall clearly had two screen images that mention "Yankees," but when I typed that into the search box, only one of them came up as a text match. I typed in my last name, which appeared in eight images, but Recall produced just two text matches.

- Recall made a screenshot while I was scrolling through posts on social network BlueSky, and one contains a photo of a New York street scene. You can see a stoplight, a smokestack and street signs. I typed each of those into the search box, but Recall came up with no results...

- The search function is fast, but flipping through snapshots in Recall is not. It can take a couple of seconds to load screenshots as you swipe between them.

Slashdot Top Deals