Replacing a sort algorithm in the FreeBSD kernel has improved its boot speed by a factor of 100 or more... and although it's aimed at a micro-VM, the gains should benefit everyone. From a report: MicroVMs are a hot area of technology R&D in the last half decade or so. The core idea is a re-invention of some of concepts and technology that IBM invented along with the hypervisor in the 1960s: designing OSes specifically to run as guests under another OS. This means building the OS specifically to run inside a VM, and to talk to resources provided by a specific hypervisor rather than to fake hardware.

This means that the guest OS needs next to no support for real hardware, just VirtIO drivers which talk directly to facilities provided by the host hypervisor. In turn, the hypervisor doesn't have to provide an emulated PCI bus, emulated power management, emulated graphics card, emulated network interface cards, and so on. The result is that the hypervisor itself can be much smaller and simpler. The result of ruthlessly chopping down both the hypervisor, and the OS that runs inside it, is that both ends can be much smaller and simpler. That means that VMs can use much fewer resources, and start up much quicker.

Visa and Mastercard are planning to increase fees that many merchants pay when they accept customers' credit cards. From a report: The fee increases are scheduled to start in October and April, according to people familiar with the matter and documents viewed by The Wall Street Journal. Many of the increases are for online purchases. The changes could result in merchants paying an additional $502 million annually in fees, according to CMSPI, a consulting company that works with merchants.

Increases in network fees will make up a little more than half of that revenue, CMSPI estimated. The rest will come from increases in interchange fees, also called swipe fees. Merchants pay these fees when shoppers pay via credit card. The economy of interchange fees is largely hidden from shoppers. But the fees are a major source of contention between the card networks and merchants large and small, from giant online retailers to corner coffee shops. U.S. merchants paid an estimated $93 billion in Visa and Mastercard credit-card fees last year, according to the Nilson Report, an industry publication. That was up from about $33 billion in 2012. Merchants pass along at least some of that cost to consumers in the form of higher prices. More small businesses have started offering discounts to shoppers who pay by debit card, cash or check.

An anonymous reader quotes a report from Ars Technica: Sports leagues are urging the US to require "instantaneous" takedowns of pirated livestreams and new requirements for Internet service providers to block pirate websites. The Digital Millennium Copyright Act of 1998 requires websites to "expeditiously" remove infringing material upon being notified of its existence. But pirated livestreams of sports events often aren't taken down while the events are ongoing, said comments submitted last week by Ultimate Fighting Championship, the National Basketball Association, and National Football League.

The "DMCA does not define 'expeditiously,' and OSPs [online service providers] have exploited this ambiguity in the statutory language to delay removing content in response to takedown requests," the leagues told the US Patent and Trademark Office in response to a request for comments on addressing counterfeiting and piracy. The leagues urged the US "to establish that, in the case of live content, the requirement to 'expeditiously' remove infringing content means that content must be removed 'instantaneously or near-instantaneously' in response to a takedown request." The leagues claimed the change "would be a relatively modest and non-controversial update to the DMCA that could be included in the broader reforms being considered by Congress or could be addressed separately." They also want stricter "verification measures before a user is permitted to livestream."

The UFC separately submitted comments on its own, urging the US to require that ISPs block pirate sites. The UFC said that a "significant and growing" number of websites, typically operated from outside the US, don't respond to takedown requests and thus should be blocked by broadband network operators. The UFC wrote: "Unlike many other jurisdictions around the world, the US lacks a 'site-blocking' regime whereby copyright owners may obtain no-fault injunctions requiring domestic Internet service providers to block websites that are primarily geared at infringing activity. A 'site-blocking' regime, with appropriate safeguards to prevent abuse, would substantially facilitate all copyright owners' ability to address piracy, including UFC's." Website-blocking is bound to be a controversial topic, although the Federal Communications Commission's now-repeated net neutrality rules only prohibited blocking of "lawful Internet traffic." While the UFC said it just wants "websites that are primarily geared at infringing activity" to be blocked, a site-blocking regime could be used more expansively if there aren't strict limits.

The FBI said Tuesday that it has taken down a network of hacked devices responsible for extorting tens of millions of dollars from victims around the world. From a report: US officials described the network known as Qakbot as one of the most notorious "botnets" in the world, referring to computer networks that have been infected with malicious software so that they can be controlled remotely without the owner's knowledge -- often to send phishing emails. These emails can in turn be used to hack into victims' computer systems, which attackers will hold for ransom.

Qakbot was instrumental in enabling cyberattacks against businesses and critical services around the world, according to US officials, including hits on the San Bernardino County Sheriff's Department and hospitals run by Prospect Medical Group. The latter resulted in the closure of emergency rooms and medical facilities across the US. US officials estimated that, since its creation in 2008, Qakbot had infected around 200,000 computers in the US and 700,000 globally.

Google DeepMind has launched a new watermarking tool that labels whether images have been generated with AI. From a report: The tool, called SynthID, will initially be available only to users of Google's AI image generator Imagen, which is hosted on Google Cloud's machine learning platform Vertex. Users will be able to generate images using Imagen and then choose whether to add a watermark or not. The hope is that it could help people tell when AI-generated content is being passed off as real, or help protect copyright. [...] Traditionally images have been watermarked by adding a visible overlay onto them, or adding information into their metadata. But this method is "brittle" and the watermark can be lost when images are cropped, resized, or edited, says Pushmeet Kohli, vice president of research at Google DeepMind.

SynthID is created using two neural networks. One takes the original image and produces another image that looks almost identical to it, but with some pixels subtly modified. This creates an embedded pattern that is invisible to the human eye. The second neural network can spot the pattern and will tell users whether it detects a watermark, suspects the image has a watermark, or finds that it doesn't have a watermark. Kohli said SynthID is designed in a way that means the watermark can still be detected even if the image is screenshotted or edited -- for example, by rotating or resizing it.

In July "Safe Street Rebels" launched the "Week of Cone" pranks (which went viral on TikTok and Twitter). TechCrunch called it "a bid to raise awareness and invite more pissed-off San Franciscans to submit public comments" to regulatory agencies.

But NPR sees a larger context: Coning driverless cars fits in line with a long history of protests against the impact of the tech industry on San Francisco. Throughout the years, activists have blockaded Google's private commuter buses from picking up employees in the city. And when scooter companies flooded the sidewalks with electric scooters, people threw them into San Francisco Bay. "Then there was the burning of Lime scooters in front of a Google bus," says Manissa Maharawal, an assistant professor at American University who has studied these protests.

She points out that when tech companies test their products in the city, residents don't have much say in those decisions: "There's been various iterations of this where it's like, 'Oh, yep, let's try that out in San Francisco again,' with very little input from anyone who lives here...." Waymo is already giving rides in Phoenix and is testing with human safety drivers in Los Angeles and Austin. And Cruise is offering rides in Phoenix and Austin and testing in Dallas, Houston, Miami, Nashville and Charlotte.

Meanwhile, in San Francisco, members of Safe Street Rebel continue to go out at night and stalk the vehicles one cone at a time.
They're apparently bicycling activists, judging by their web site, advocating "for car-free spaces, transit equity, and the end of car dominance." ("We regularly protest the city's thoughtless reopening of the Upper Great Highway to cars by slowing traffic to show just how unnecessary of a route this road is.") Their long-term goal is to expand the group "to the point where we can make a city for people to safely walk, bike and take public transit, not a city dominated by cars..." The last half-century has been a failed experiment with car dominance. They bankrupt our cities, ruin our environment, and force working people to sacrifice an unacceptable amount of their income to pay for basic transpiration. It is time to end car dependence and rethink our streets around public transit, walking and bikes.
Their demands include unredacted data from self-driving car companies about safety incidents (and a better reporting system) — plus a mechanism for actually citing robotaxis for traffic violations. But they also raise concerns about surveillance, noting the possibility of "a city-wide, moving network observing and analyzing everything."

Their web page says they also want to see studies on the pollution impact of self-driving cars — and whether or not AVs will increase car usage. They support the concerns of San Francisco's Taxi Workers Alliance about the possibility of lost jobs and increased traffic congestion.

And they raise one more concern: Their cars are not wheelchair accessible and do not pull up to the curb. Profit-driven robotaxi companies see accessibility as an afterthought. Without enforcement, their promises for the future will likely never materialize. Paratransit and transit are accountable to the public, but Cruise and Waymo are only accountable to shareholders.
But their list of concerns is followed by an exhaustive list of 266 robotaxi incidents documented with links to news articles and social media reports. ("The cars have run red lights, rear-ended a bus and blocked crosswalks and bike paths," writes NPR. "In one incident, dozens of confused cars congregated in a residential cul-de-sac, clogging the street. In another, a Waymo ran over and killed a dog.")

NPR's article adds one final note. "Neither Cruise nor Waymo responded to questions about why the cars can be disabled by traffic cones."

Thanks to Slashdot reader Tony Isaac for sharing the news.

Firefighters are training a robot to scan the horizon for fires. It turns out a lot of things look like smoke. From a report: For years, firefighters in California have relied on a vast network of more than 1,000 mountaintop cameras to detect wildfires. Operators have stared into computer screens around the clock looking for wisps of smoke. This summer, with wildfire season well underway, California's main firefighting agency is trying a new approach: training an artificial intelligence program to do the work. The idea is to harness one of the state's great strengths -- expertise in A.I. -- and deploy it to prevent small fires from becoming the kinds of conflagrations that have killed scores of residents and destroyed thousands of homes in California over the past decade.

Officials involved in the pilot program say they are happy with early results. Around 40 percent of the time, the artificial intelligence software was able to alert firefighters of the presence of smoke before dispatch centers received 911 calls. "It has absolutely improved response times," said Phillip SeLegue, the staff chief of intelligence for the California Department of Forestry and Fire Protection, the state's main firefighting agency better known as Cal Fire. In about two dozen cases, Mr. SeLegue said, the A.I. identified fires that the agency never received 911 calls for. The fires were extinguished when they were still small and manageable.

After an exceptionally wet winter, California's fire season has not been as destructive -- so far -- as in previous years. Cal Fire counts 4,792 wildfires so far this year, lower than the five-year average of 5,422 for this time of year. Perhaps more important, the number of acres burned this year has been only one-fifth of the five-year average of 812,068 acres. The A.I. pilot program, which began in late June and covered six of Cal Fire's command centers, will be rolled out to all 21 command centers starting in September. But the program's apparent success comes with caveats. The system can detect fires only visible to the cameras. And at this stage, humans are still needed to make sure the A.I. program is properly identifying smoke. Engineers for the company that created the software, DigitalPath, based in Chico, Calif., are monitoring the system day and night, and manually vetting every incident that the A.I. identifies as fire.

An anonymous reader quotes a report from 9to5Google: Google has worked with Cameyo to give enterprise Chromebooks another way to run Windows applications using ChromeOS Virtual App Delivery. Cameyo is an enterprise company that offers a "Virtual App Delivery" (VAD) platform that can stream Windows, Linux, internal web, and SaaS applications to other devices. This offering is now getting tight integration with ChromeOS. These Windows apps appear like other icons in a Chromebook's launcher and taskbar. Behind the scenes, they are PWAs (Progressive Web Apps) that aim to blur their streamed nature with native file system integration. This includes letting users access local files and folders from within the virtual instances. Similarly, integration with the ChromeOS Clipboard Connector allows for local copy and paste.

When a user opens a specific file type, Cameyo makes it so that the appropriate virtual app launches. These virtual apps can be streamed from the cloud or on-premises data centers. Compared to full virtual desktop apps, this approach is said to "eliminate the infrastructure and licensing complexity." On the security front: "apps and devices are isolated from network resources and segmented by default so that users only access the apps and data they need to get their jobs done, all while eliminating the need to expose firewall and server ports to the open internet." ChromeOS Virtual App Delivery with Cameyo is available today as an enterprise offering. There is no consumer equivalent.

New submitter Slash_Account_Dot shares a report from 404 Media, a new independent media company founded by technology journalists Jason Koebler, Emanuel Maiberg, Samantha Cole, and Joseph Cox: Customs and Border Protection (CBP), part of the Department of Homeland Security, has bought millions of dollars worth of software from a company that uses artificial intelligence to detect "sentiment and emotion" in online posts, according to a cache of documents obtained by 404 Media. CBP told 404 Media it is using technology to analyze open source information related to inbound and outbound travelers who the agency believes may threaten public safety, national security, or lawful trade and travel. In this case, the specific company called Fivecast also offers "AI-enabled" object recognition in images and video, and detection of "risk terms and phrases" across multiple languages, according to one of the documents.

Marketing materials promote the software's ability to provide targeted data collection from big social platforms like Facebook and Reddit, but also specifically names smaller communities like 4chan, 8kun, and Gab. To demonstrate its functionality, Fivecast promotional materials explain how the software was able to track social media posts and related Persons-of-Interest starting with just "basic bio details" from a New York Times Magazine article about members of the far-right paramilitary Boogaloo movement. 404 Media also obtained leaked audio of a Fivecast employee explaining how the tool could be used against trafficking networks or propaganda operations. The news signals CBP's continued use of artificial intelligence in its monitoring of travelers and targets, which can include U.S. citizens. This latest news shows that CBP has deployed multiple AI-powered systems, and provides insight into what exactly these tools claim to be capable of while raising questions about their accuracy and utility. "CBP should not be secretly buying and deploying tools that rely on junk science to scrutinize people's social media posts, claim to analyze their emotions, and identify purported 'risks,'" said Patrick Toomey, deputy director of the ACLU's National Security Project. "The public knows far too little about CBP's Counter Network Division, but what we do know paints a disturbing picture of an agency with few rules and access to an ocean of sensitive personal data about Americans. The potential for abuse is immense."

According to The Information (paywalled), SpaceX is working with Cloudlfare to boost the performance of its satellite internet service Starlink. Reuters reports: The two companies are working on a way to increase Starlink's network of mini data centers around the globe that could help it deliver faster network speeds to its customers, the report said. According to SpaceX's website, Starlink users typically have download speeds between 25 and 220 Mbps, with the "majority" over 100 Mbps. Upload speeds range between 5 and 20 Mbps.

samleecole shares a report from 404 Media, a new independent media company founded by technology journalists Jason Koebler, Emanuel Maiberg, Samantha Cole, and Joseph Cox: Apple told a California legislator that it is formally supporting a right to repair bill in California, a landmark move that suggests big tech manufacturers understand they have lost the battle to monopolize repair, and need to allow consumers and independent repair shops to fix their own electronics. "Apple writes in support of SB 244, and urges members of the California legislature to pass the bill as currently drafted," Apple wrote to Susan Eggman, the sponsor of the bill, in a letter obtained by 404 Media. "We support SB 244 because it includes requirements that protect individual users' safety and security, as well as product manufacturers' intellectual property. We will continue to support the bill, so long as it continues to provide protections for customers and innovators."

This is a landmark shift in policy from Apple, the most powerful electronics manufacturer in the world and, historically, one of the biggest opponents of right to repair legislation nationwide. It means, effectively, that consumers have won. "If California votes yes and continues to raise the bar on electronics repair from other states, it's becoming obvious the fight is over, and that we've won," said Nathan Proctor, Senior Director of consumer rights group U.S. PIRG Campaign for the Right to Repair. "It's going to be show over for consumer electronics. There are other industries where this fight is going to continue, but if a strong bill passes in California, we're winning."

"I would think that passage in California means there'd be a lot of pressure on manufacturers to kind of set the line there and say 'no farther,' because we've now proven to them we can pass laws and change the ways they have to operate," Proctor added. "This shows state advocacy is a good way to deal with large problems that are hard to get through Congress. It shows you can really spread big tech thin if you have a real grassroots network behind you."

iFixit and TechCrunch first reported the news.

Two UK teenagers accused of being key members of the notorious hacking group Lapsus$, behind attacks on companies including Nvidia, Rockstar Games, and Uber, were convicted of their crimes by a London jury Wednesday. From a report: Arion Kurtaj, 18, and a 17-year-old male, who can't be identified, were found to have carried out a number of offenses including serious computer misuse, blackmail and fraud against BT Group's EE network and Nvidia. Kurtaj was also separately accused of hacks into Uber, Rockstar's Grand Theft Auto game, and fintech firm Revolut. The Southwark Crown Court jury only needed to come to a decision on whether Kurtaj was liable for the crimes after he was found by the judge to be unfit to stand trial because of a complex medical condition. The jury found him liable for all 12 charges. The 17-year-old was found guilty of hacking, fraud and blackmail against Nvidia and cleared over two other counts against EE. He had previously plead guilty to two charges relating to the BT hacks. Lapsus$ are an international bunch of loosely connected online extortionists.

An anonymous reader quotes a report from Ars Technica: On Tuesday, Meta announced SeamlessM4T, a multimodal AI model for speech and text translations. As a neural network that can process both text and audio, it can perform text-to-speech, speech-to-text, speech-to-speech, and text-to-text translations for "up to 100 languages," according to Meta. Its goal is to help people who speak different languages communicate with each other more effectively. Continuing Meta's relatively open approach to AI, Meta is releasing SeamlessM4T under a research license (CC BY-NC 4.0) that allows developers to build on the work. They're also releasing SeamlessAlign, which Meta calls "the biggest open multimodal translation dataset to date, totaling 270,000 hours of mined speech and text alignments." That will likely kick-start the training of future translation AI models from other researchers.

Among the features of SeamlessM4T touted on Meta's promotional blog, the company says that the model can perform speech recognition (you give it audio of speech, and it converts it to text), speech-to-text translation (it translates spoken audio to a different language in text), speech-to-speech translation (you feed it speech audio, and it outputs translated speech audio), text-to-text translation (similar to how Google Translate functions), and text-to-speech translation (feed it text and it will translate and speak it out in another language). Each of the text translation functions supports nearly 100 languages, and the speech output functions support about 36 output languages.

The United Nations' proposed Global Digital Compact will exclude technical experts as a distinct voice in internet governance, ignoring their enormous contributions to growing and sustaining the internet, according to ICANN and two of the world's regional internet registries. From a report: The Global Digital Compact is an effort to "outline shared principles for an open, free and secure digital future for all." The UN hopes the compact will address issues such as digital inclusion, internet fragmentation, giving individuals control over how their data is used, and making the internet trustworthy "by introducing accountability criteria for discrimination and misleading content." But ICANN, the Asia Pacific Network Information Centre (APNIC), and the American Registry for Internet Numbers (ARIN) worry that recent articulations of the Compact suggest it should use a tripartite model for digital cooperation with three stakeholder groups: the private sector, governments, and civil society. That's dangerous, ICANN and co argue, because technical stakeholders would lose their distinct voice.

They've therefore co-signed and published a document criticizing the Compact as it stands today. "The technical community is not part of civil society and it has never been," the document states, citing outcomes of the World Summit of the Information Society (WSIS) -- a UN event staged in 2003 and 2005 that defined a multi-stakeholder internet governance framework. 2015's WSIS+10 event affirmed that strategy. "This model excludes the technical community as a distinct component, and overlooks the unique and essential roles played by that community's members separately and collectively," DNS overlord ICANN and the registries added.

The rapid rise of generative AI has stoked anxieties across disciplines. High school teachers and college professors are worried about the potential for cheating. News organizations have been caught with shoddy articles penned by AI. And now, peer-reviewed academic journals are grappling with submissions in which the authors may have used generative AI to write outlines, drafts, or even entire papers, but failed to make the AI use clear. Wired: Journals are taking a patchwork approach to the problem. The JAMA Network, which includes titles published by the American Medical Association, prohibits listing artificial intelligence generators as authors and requires disclosure of their use. The family of journals produced by Science does not allow text, figures, images, or data generated by AI to be used without editors' permission. PLOS ONE requires anyone who uses AI to detail what tool they used, how they used it, and ways they evaluated the validity of the generated information. Nature has banned images and videos that are generated by AI, and it requires the use of language models to be disclosed. Many journals' policies make authors responsible for the validity of any information generated by AI.

Experts say there's a balance to strike in the academic world when using generative AI -- it could make the writing process more efficient and help researchers more clearly convey their findings. But the tech -- when used in many kinds of writing -- has also dropped fake references into its responses, made things up, and reiterated sexist and racist content from the internet, all of which would be problematic if included in published scientific writing. If researchers use these generated responses in their work without strict vetting or disclosure, they raise major credibility issues. Not disclosing use of AI would mean authors are passing off generative AI content as their own, which could be considered plagiarism. They could also potentially be spreading AI's hallucinations, or its uncanny ability to make things up and state them as fact.

SK Telecom, South Korea's dominant mobile carrier and sibling of chipmaker SK hynix, has declared that 5G was over-hyped, has under-delivered, and has failed to deliver a killer app. From a report: The telco offered that assessment in a recent white paper titled "5G Lessons Learned, 6G Key Requirements, 6G Network Evolution, and 6G Spectrum." The paper opens with an unflattering assessment of 5G, which the authors recall being sold as an enabler of autonomous driving, unmanned aerial vehicles (UAM), extended reality (XR) and digital twins. Those applications were possible, but did not succeed due to a combination of "device form factor constraints, immaturity of device and service technology, low or absent market demand, and policy/regulation issues."

The performance of 5G networks was not the issue, the paper argues. The telco argued that some of the goals set out by the UN's international standardization org ITU-R for 5G were met, but many tasks are still far from completion four years into the technology's commercial deployment. Those goals were meant to be realized in the long term -- but that expectation was not accurately conveyed to consumers, leading to "excessive expectations."

Remember when your email address came from your ISP?

Now the cost for small companies to offer email service "has gone up in server and administration costs," reports the Guardian, "without the economies of scale." But in Australia, this has created a problem for people like the Canberra-based customer of iiNet who's had the same email address since the 1990s... TPG — which owns brands that have historically offered email including iiNet all the way back to OzEmail — informed customers in July that it would migrate their email to a separate private service, the Messaging Company, by the end of November. Users will keep their exisiting email addresses on this service, and would get it free for the first year. After that, there will be options of paying for a service, or an ad-based free service after that. The amount to be charged from next year has not yet been decided.

The announcement was met with outrage among users of the long-running web forum Whirlpool. "It's a shitty move. My wife has never set up a Gmail or Yahoo and only ever used her iiNet email address for her business as well as personal. This screws us royally," one user said.

"Us oldies couldn't start out using Gmail etc because they weren't in existence 25 years ago," another said.

"It's a nightmare trying to change logins at many places...."

The other factor is the increasing security risk. Legacy systems, particularly those managed under a variety of absorbed companies, as with TPG, can over time become more at risk of a cybersecurity attack or breach. External providers who offer this service either in place of, or on behalf of the internet service provider are becoming seen as the more secure option....

The Australian Communications Consumer Action Network chief executive, Andrew Williams, says that ultimately internet providers getting out of the email game is a good thing because it means customers don't feel locked into one internet company...

With the rise in data breaches, and the avalanche of spam and scams, the shift offers people the opportunity of a clean email slate, according to Andrew Williams, of the Australian Communications Consumer Action Network.

Thursday a Cruise robotaxi drove through a green light in front of an oncoming firetruck "with its forward facing red lights and siren on, the San Francisco Police Department said in a statement to Reuters." The San Francisco Chronicle adds that the Cruise vehicle's passenger "passenger was treated on the scene and shared taken in an ambulance to a hospital, though the company said the injuries were 'non-severe.' The company added in an email to the Chronicle that the passenger was on the scene walking around and talking to emergency responders before being taken to the hospital."

By Friday California's Department of Motor Vehicles said it was investigating the "concerning incidents," according to TechCrunch. But it adds that the AV-regulating agency also "called for Cruise to reduce its fleet by 50% and have no more than 50 driverless vehicles in operation during the day and 150 driverless vehicles in operation at night until the investigation is complete. Cruise told TechCrunch it is complying with the request. Cruise also issued a blog post giving the company's perspective of how and why the crash occurred.
Cruise's blog post points out the firetruck was unexpectedly in the oncoming lane of traffic that night. But meanwhile, elsewhere in the city... The same night, a Cruise car collided with another vehicle at 26th and Mission streets. The company said another driverless car, which had no passengers, entered the intersection on a green light when another car ran a red light at high speed. The driverless car detected the other car and braked, according to Cruise, but the two cars still collided...

The collisions came a day after city officials asked state regulators to halt their approval of robotaxi companies' unrestricted commercial expansion in the city, citing concerns about how the robotaxis' behavior impacts emergency responders.
Last weekend Cruise was also criticized after "as many as 10 Cruise driverless taxis blocked two narrow streets," reports the Los Angeles Times: Human-driven cars sat stuck behind and in between the robotaxis, which might as well have been boulders: no one knew how to move them.... The cars sat motionless with parking lights flashing for 15 minutes, then woke up and moved on, witnesses said.
Cruise "blamed cellphone carriers for the problem," according to the article — arguing that a music festival overloaded the cellphone network they used to communicate with their vehicles.

Thanks to Slashdot reader jjslash for sharing the story.

An anonymous reader quotes a report from BleepingComputer: Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich. FIDO2 is the second major version of the Fast IDentity Online authentication standard, and FIDO2 keys are used for passwordless authentication and as a multi-factor authentication (MFA) element. Google explains that a quantum-resistant FIDO2 security key implementation is a crucial step towards ensuring safety and security as the advent of quantum computing approaches and developments in the field follow an accelerating trajectory.

To protect against quantum computers, a new hybrid algorithm was created by combining the established ECDSA algorithm with the Dilithium algorithm. Dilithium is a quantum-resistant cryptographic signature scheme that NIST included in its post-quantum cryptography standardization proposals, praising its strong security and excellent performance, making it suitable for use in a wide array of applications. This hybrid signature approach that blends classic and quantum-resistant features wasn't simple to manifest, Google says. Designing a Dilithium implementation that's compact enough for security keys was incredibly challenging. Its engineers, however, managed to develop a Rust-based implementation that only needs 20KB of memory, making the endeavor practically possible, while they also noted its high-performance potential.

The hybrid signature schema was first presented in a 2022 paper (PDF) and recently gained recognition at the ACNS (Applied Cryptography and Network Security) 2023, where it won the "best workshop paper" award. This new hybrid implementation is now part of the OpenSK, Google's open-source security keys implementation that supports the FIDO U2F and FIDO2 standards. The tech giant hopes that its proposal will be adopted by FIDO2 as a new standard and supported by major web browsers with large user bases. The firm calls the application of next-gen cryptography at the internet scale "a massive undertaking" and urges all stakeholders to move quickly to maintain good progress on that front.

An anonymous reader quotes a report from Ars Technica: A few months ago, an engineer in a data center in Norway encountered some perplexing errors that caused a Windows server to suddenly reset its system clock to 55 days in the future. The engineer relied on the server to maintain a routing table that tracked cell phone numbers in real time as they were being moved from one carrier to the other. A jump of eight weeks had dire consequences because it caused numbers that had yet to be transferred to be listed as having already been moved and numbers that had already been transferred to be reported as pending. "With these updated routing tables, a lot of people were unable to make calls, as we didn't have a correct state!" the engineer, who asked to be identified only by his first name, Simen, wrote in an email. "We would route incoming and outgoing calls to the wrong operators! This meant, e.g., children could not reach their parents and vice versa."

Simen had experienced a similar error last August when a machine running Windows Server 2019 reset its clock to January 2023 and then changed it back a short time later. Troubleshooting the cause of that mysterious reset was hampered because the engineers didn't discover it until after event logs had been purged. The newer jump of 55 days, on a machine running Windows Server 2016, prompted him to once again search for a cause, and this time, he found it. The culprit was a little-known feature in Windows known as Secure Time Seeding. Microsoft introduced the time-keeping feature in 2016 as a way to ensure that system clocks were accurate. Windows systems with clocks set to the wrong time can cause disastrous errors when they can't properly parse time stamps in digital certificates or they execute jobs too early, too late, or out of the prescribed order. Secure Time Seeding, Microsoft said, was a hedge against failures in the battery-powered on-board devices designed to keep accurate time even when the machine is powered down.

"You may ask -- why doesn't the device ask the nearest time server for the current time over the network?" Microsoft engineers wrote. "Since the device is not in a state to communicate securely over the network, it cannot obtain time securely over the network as well, unless you choose to ignore network security or at least punch some holes into it by making exceptions." To avoid making security exceptions, Secure Time Seeding sets the time based on data inside an SSL handshake the machine makes with remote servers. These handshakes occur whenever two devices connect using the Secure Sockets Layer protocol, the mechanism that provides encrypted HTTPS sessions (it is also known as Transport Layer Security). Because Secure Time Seeding (abbreviated as STS for the rest of this article) used SSL certificates Windows already stored locally, it could ensure that the machine was securely connected to the remote server. The mechanism, Microsoft engineers wrote, "helped us to break the cyclical dependency between client system time and security keys, including SSL certificates."