Agreguesi i feed

An anonymous reader shares a report: "Early Access" was once a novel, quirky thing, giving a select set of Steam PC games a way to involve enthusiastic fans in pre-alpha-level play-testing and feedback. Now loads of games launch in various forms of Early Access, in a wide variety of readiness. It's been a boon for games like Baldur's Gate 3, which came a long way across years of Early Access. Early Access, and the "Advanced Access" provided for complete games by major publishers for "Deluxe Editions" and the like, has also been a boon to freeloaders. Craven types could play a game for hours and hours, then demand a refund within the standard two hours of play, 14 days after the purchase window of the game's "official" release. Steam-maker Valve has noticed and, as of Tuesday night, updated its refund policy. "Playtime acquired during the Advanced Access period will now count towards the Steam refund period," reads the update. In other words: Playtime is playtime now, so if you've played more than two hours of a game in any state, you don't get a refund. That closes at least one way that people could, with time-crunched effort, play and enjoy games for free in either Early or Advanced access.

Read more of this story at Slashdot.

Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a Debian-based operating system that enables users to remain incognito online and securely browse the web.

In Complete Guide to Keylogging in Linux: Part 1 , we discussed how to write keyloggers for Linux by reading keyboard device events. This article will continue to discuss keyboard event capture so you have more techniques to use for keylogger attacks in network security.

Fedora 40 , the newest version of the Fedora operating system, is an efficient and lightning-fast release with various new and useful features. Compared to its previous releases, Fedora 40 is lightning-fast and offers maximum efficiency to users.

Keylogger attacks in network security have become more popular over time. Therefore, businesses must implement procedures and tactics to prevent these network security issues from harming a server.

Version:next-20240424 (linux-next) Released:2024-04-24

<noscript> <img alt="" height="720" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1280,h_720/https://ubuntu.com/wp-content/uploads/ce7d/2.png" width="1280" /> </noscript>

We’re excited about the upcoming Ubuntu 24.04 LTS release, Noble Numbat. Like all Ubuntu releases, Ubuntu 24.04 LTS comes with 5 years of free security maintenance for the main repository. Support can be expanded for an extra 5 years, and to include the universe repository, via Ubuntu Pro.  Organisations looking to keep their systems secure without needing a major upgrade can also get the Legacy Support add-on to expand that support beyond the 10 years. Combined with the enhanced security coverage provided by Ubuntu Pro and Legacy Support, Ubuntu 24.04 LTS provides a secure foundation on which to develop and deploy your applications and services in an increasingly risky environment. In this blog post, we will look at some of the enhancements and security features included in Noble Numbat, building on those available in Ubuntu 22.04 LTS.

Unprivileged user namespace restrictions

Unprivileged user namespaces are a widely used feature of the Linux kernel, providing additional security isolation for applications, and are often employed as part of a sandbox environment. They allow an application to gain additional permissions within a constrained environment, so that a more trusted part of an application can then use these additional permissions to create a more constrained sandbox environment within which less trusted parts can then be executed. A common use case is the sandboxing employed by modern web browsers, where the (trusted) application itself sets up the sandbox where it executes the untrusted web content. However, by providing these additional permissions, unprivileged user namespaces also expose additional attack surfaces within the Linux kernel. There has been a long history of (ab)use of unprivileged user namespaces to exploit various kernel vulnerabilities. The most recent interim release of Ubuntu, 23.10, introduced the ability to restrict the use of unprivileged user namespaces to only those applications which legitimately require such access. In Ubuntu 24.04 LTS, this feature has both been improved to cover additional applications both within Ubuntu and from third parties, and to allow better default semantics of the feature. For Ubuntu 24.04 LTS, the use of unprivileged user namespaces is then allowed for all applications but access to any additional permissions within the namespace are denied. This allows more applications to more better gracefully handle this default restriction whilst still protecting against the abuse of user namespaces to gain access to additional attack surfaces within the Linux kernel.

Binary hardening

Modern toolchains and compilers have gained many enhancements to be able to create binaries that include various defensive mechanisms. These include the ability to detect and avoid various possible buffer overflow conditions as well as the ability to take advantage of modern processor features like branch protection for additional defence against code reuse attacks.

The GNU C library, used as the cornerstone of many applications on Ubuntu, provides runtime detection of, and protection against, certain types of buffer overflow cases, as well as certain dangerous string handling operations via the use of the _FORTIFY_SOURCE macro. FORTIFY_SOURCE can be specified at various levels providing increasing security features, ranging from 0 to 3. Modern Ubuntu releases have all used FORTIFY_SOURCE=2 which provided a solid foundation by including checks on string handling functions like sprintf(), strcpy() and others to detect possible buffer overflows, as well as format-string vulnerabilities via the %n format specifier in various cases. Ubuntu 24.04 LTS enables additional security features by increasing this to FORTIFY_SOURCE=3. Level three greatly enhances the detection of possible dangerous use of a number of other common memory management functions including memmove(),  memcpy(), snprintf(), vsnprintf(), strtok() and strncat(). This feature is enabled by default in the gcc compiler within Ubuntu 24.04 LTS, so that all packages in the Ubuntu archive which are compiled with gcc, or any applications compiled with gcc on Ubuntu 24.04 LTS also receive this additional protection.

The Armv8-M hardware architecture (provided by the “arm64” software architecture on Ubuntu) provides hardware-enforced pointer authentication and branch target identification. Pointer authentication provides the ability to detect malicious stack buffer modifications which aim to redirect pointers stored on the stack to attacker controlled locations, whilst branch target identification is used to track certain indirect branch instructions and the possible locations which they can target. By tracking such valid locations, the processor can detect possible malicious jump-oriented programming attacks which aim to use existing indirect branches to jump to other gadgets within the code. The gcc compiler supports these features via the -mbranch-protection option. In Ubuntu 24.04 LTS, the dpkg package now enables -mbranch-protection=standard, so that all packages within the Ubuntu archive enable support for these hardware features where available.

AppArmor 4

The aforementioned unprivileged user namespace restrictions are all backed by the AppArmor mandatory access control system. AppArmor allows a system administrator to implement the principle of least authority by defining which resources an application should be granted access to and denying all others. AppArmor consists of a userspace package, which is used to define the security profiles for applications and the system, as well as the AppArmor Linux Security Module within the Linux kernel which provides enforcement of the policies. Ubuntu 24.04 LTS includes the latest AppArmor 4.0 release, providing support for many new features, such as specifying allowed network addresses and ports within the security policy (rather than just high level protocols) or various conditionals to allow more complex policy to be expressed. An exciting new development provided by AppArmor 4 in Ubuntu 24.04 LTS is the ability to defer access control decisions to a trusted userspace program. This allows for quite advanced decision making to be implemented, by taking into account the greater context available within userspace or to even interact with the user / system administrator in a real-time fashion. For example, the experimental snapd prompting feature takes advantage of this work to allow users to exercise direct control over which files a snap can access within their home directory. Finally, within the kernel, AppArmor has gained the ability to mediate access to user namespaces as well as the io_uring subsystem, both of which have historically provided additional kernel attack surfaces to malicious applications. 

Disabling of old TLS versions

The use of cryptography for private communications is the backbone of the modern internet. The Transport Layer Security protocol has provided confidentiality and integrity to internet communications since it was first standardised in 1999 with TLS 1.0. This protocol has undergone various revisions since that time to introduce additional security features and avoid various security issues inherent in the earlier versions of this standard. Given the wide range of TLS versions and options supported by each, modern internet systems will use a process of auto-negotiation to select an appropriate combination of protocol version and parameters when establishing a secure communications link. In Ubuntu 24.04 LTS, TLS 1.0, 1.1 and DTLS 1.0 are all forcefully disabled (for any applications that use the underlying openssl or gnutls libraries) to ensure that users are not exposed to possible TLS downgrade attacks which could expose their sensitive information.

Upstream Kernel Security Features

Linux kernel v5.15 was used as the basis for the Linux kernel in the previous Ubuntu 22.04 LTS release. This provided a number of kernel security features including core scheduling, kernel stack randomisation and unprivileged BPF restrictions to name a few. Since that time, the upstream Linux kernel community has been busy adding additional kernel security features. Ubuntu 24.04 LTS includes the v6.8 Linux kernel which provides the following additional security features:

Intel shadow stack support

Modern Intel CPUs support an additional hardware feature aimed at preventing certain types of return-oriented programming (ROP) and other attacks that target the malicious corruption of the call stack. A shadow stack is a hardware enforced copy of the stack return address that cannot be directly modified by the CPU. When the processor returns from a function call, the return address from the stack is compared against the value from the shadow stack – if the two differ, the process is terminated to prevent a possible ROP attack. Whilst compiler support for this feature has been enabled for userspace packages since Ubuntu 19.10, it has not been able to be utilised until it was also supported by the kernel and the C library. Ubuntu 24.04 LTS includes this additional support for shadow stacks to allow this feature to be enabled when desired by setting the GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK environment variable.

Secure virtualisation with AMD SEV-SNP and Intel TDX

Confidential computing represents a fundamental departure from the traditional threat model, where vulnerabilities in the complex codebase of privileged system software like the operating system, hypervisor, and firmware pose ongoing risks to the confidentiality and integrity of both code and data. Likewise, unauthorised access by a malicious cloud administrator could jeopardise the security of your virtual machine (VM) and its environment. Building on the innovation of Trusted Execution Environments at the silicon level, Ubuntu Confidential VMs aim to restore your control over the security assurances of your VMs.

For the x86 architecture, both AMD and Intel processors provide hardware features (named AMD SEV SNP and Intel TDX respectively) to support running virtual machines with memory encryption and integrity protection. They ensure that the data contained within the virtual machine is inaccessible to the hypervisor and hence the infrastructure operator.  Support for using these features as a guest virtual machine was introduced in the upstream Linux kernel version 5.19.

Thanks to Ubuntu Confidential VMs, a user can make use of compute resources provided by a third party whilst maintaining the integrity and confidentiality of their data through the use of memory encryption and other features.  On the public cloud, Ubuntu offers the widest portfolio of confidential VMs. These build on the innovation of both the hardware features, with offerings available across Microsoft Azure, Google Cloud and Amazon AWS. 

For enterprise customers seeking to harness confidential computing within their private data centres, a fully enabled software stack is essential. This stack encompasses both the guest side (kernel and OVMF) and the host side (kernel-KVM, QEMU, and Libvirt). Currently, the host-side patches are not yet upstream. To address this, Canonical and Intel have forged a strategic collaboration to empower Ubuntu customers with an Intel-optimised TDX Ubuntu build. This offering includes all necessary guest and host patches, even those not yet merged upstream, starting with Ubuntu 23.10 and extending into 24.04 and beyond. The complete TDX software stack is accessible through this github repository. 

This collaborative effort enables our customers to promptly leverage the security assurances of Intel TDX. It also serves to narrow the gap between silicon innovation and software readiness, a gap that grows as Intel continues to push the boundaries of hardware innovation with 5th Gen Intel Xeon scalable processors and beyond.

Strict compile-time bounds checking

Similar to hardening of binaries within the libraries and applications distributed in Ubuntu, the Linux kernel itself gained enhanced support for detecting possible buffer overflows at compile time via improved bounds checking of the memcpy() family of functions. Within the kernel, the FORTIFY_SOURCE macro enables various checks in memory management functions like memcpy() and memset() by checking that the size of the destination object is large enough to hold the specified amount of memory, and if not will abort the compilation process. This helps to catch various trivial memory management issues, but previously was not able to properly handle more complex cases such as when an object was embedded within a larger object. This is quite a common pattern within the kernel, and so the changes introduced in the upstream 5.18 kernel version to enumerate and fix various such cases greatly improves this feature. Now the compiler is able to detect and enforce stricter checks when performing memory operations on sub-objects to ensure that other object members are not inadvertently overwritten, avoiding an entire class of possible buffer overflow vulnerabilities within the kernel.

Wrapping up

Overall, the vast range of security improvements that have gone into Ubuntu 24.04 LTS greatly improve on the strong foundation provided by previous Ubuntu releases, making it the most secure release to date. Additional features within both the kernel, userspace and across the distribution as a whole combine to address entire vulnerability classes and attack surfaces. With up to 12 years of support, Ubuntu 24.04 LTS provides the best and most secure foundation to develop and deploy Linux services and applications. Expanded Security Maintenance, kernel livepatching and additional services are all provided to Ubuntu Pro subscribers to enhance the security of their Ubuntu deployments.

Welcome to the Ubuntu Weekly Newsletter, Issue 836 for the week of April 14 – 20, 2024. The full version of this issue is available here.

In this issue we cover:

• Noble Numbat (24.04) Final Freeze
• Ubuntu Stats
• Hot in Support
• Ubucon Latin America 2024 – Llamado a conferencias y talleres!
• FOSSASIA Summit 2024 Recap!
• Guide to submitting presentation proposals for UbuCon Korea 2024
• Agenda of Activities for the Latin American Free Software Installation Festival (FLISOL) in Mérida
• LoCo Events
• Lubuntu Council 2024 Election Results
• Upcoming AppArmor Security update for CVE-2016-1585
• New feature: Ubuntu Snapshot Service
• Release v0.2.0 of “miracle-wm”, a Wayland compositor built on Mir
• Ubuntu Budgie 24.04 Release Notes
• Ubuntu Cloud News
• Canonical News
• In the Blogosphere
• Other Articles of Interest
• Featured Audio and Video
• Meeting Reports
• Upcoming Meetings and Events
• Updates and Security for Ubuntu 20.04, 22.04, and 23.10
• And much more!

The Ubuntu Weekly Newsletter is brought to you by:

• Krytarik Raido
• Bashing-om
• Chris Guiver
• Wild Man
• And many others

If you have a story idea for the Weekly Newsletter, join the Ubuntu News Team mailing list and submit it. Ideas can also be added to the wiki!

.

Discover how IBM Cloud’s bare metal servers offer highly confined and high-performing single-tenant cloud isolation through the use of Ubuntu Core and Snaps, supported by the AMD Pensando Elba DPU (Data Processing Unit). This setup enables the creation of secure and efficient environments for each tenant. Its design ensures the total separation of their servers from the cloud underlay. The architecture delivers consistent performance and enables non intrusive control from the cloud provider. Learn how this innovative solution can benefit your business and enhance your cloud infrastructure.

Introduction

Public cloud bare-metal servers offer dedicated physical resources, but can present isolation and performance challenges. Isolation requirements involve maintaining full control of compute capabilities by the tenant, while preserving the backend management of its infrastructure by the cloud provider and preventing unauthorised access. Performance requirements entail providing consistent performance even under heavy workloads. Cloud providers face challenges in ensuring physical and logical isolation, resource allocation, monitoring, management, scalability, and security. To address these complex requirements, providers must invest in advanced technologies and implement best practices for resource allocation, monitoring, and management. They also need to regularly review and update infrastructure to meet tenant needs.

In the following discussion, we will explore how IBM Cloud is addressing these challenges by harnessing the distinctive capabilities of Ubuntu Core and Snaps deployed on the AMD Pensando Elba infrastructure accelerators.

IBM Cloud Bare Metal Servers for VPC

IBM has always been dedicated to keeping clients essential data secure through a strong focus on resilience, performance, and compliance. IBM Cloud executes that focus within highly regulated industries such as finance and insurance organisations. Given IBM Cloud’s long-standing commitment to data security, it is unsurprising and essential that Bare Metal Servers for VPC (VPC BM) implements the most rigorous security guarantees to meet customers expectations.

Bare metal servers, which are physical servers dedicated to a single tenant, offer benefits such as high performance and customizability, but managing them in a multi-tenant environment can be complex. A key requirement is ensuring isolation between the tenant and the cloud backend, both to maintain security and to prevent performance issues caused by noisy neighbours.

VPC BM allows customers to select a preset server profile that best matches their workloads to help accelerate the deployment of compute resources. Customers can achieve maximum performance without oversubscription deployed in 10 minutes 

VPC BM  is powered with the latest technology. They are built for cloud-enterprise applications, including VMware and SAP, and can also support HPC and IOT workloads. They come with enhanced high-performance networking at 100 Gbps as well as advanced security features. 

A network orchestration layer handles the networking for all bare metal servers that are within an IBM Cloud VPC across regions and zones. This allows for management and creation of multiple, virtual private clouds in multi zone regions and also improves security, reduces latency, and increases high availability.

“I selected IBM Cloud VPC because of 5 points that I thought and was proven correct based on my experience using the service. First is security. Secondly is agility. The third is isolation. Fourth is the high performance. Fifth, and last, is the scalability.”

Ivo Draginov CEO BatchService AMD Pensando DSC2-200 “Elba”

In use with some of the largest cloud providers and Hyperscalers on the planet, the AMD
Pensando DSC2-200 has proven itself as the platform of choice for cloud providers seeking to
optimise performance, increase scale and introduce new infrastructure services at the speed of
software. The DSC2-200 is full-height, half-length PCIe card powered by AMD Pensando 2nd
generation DPU “Elba”. The DSC2-200 is the ideal platform for cloud providers to implement
multi-tenant SDN, stateful security, storage, encryption and telemetry at line rate. The platform’s
scale architecture allows cloud provider to offer multiple services on the same DPU card.

Developers can create customised data plane services that target 400G throughput,
microsecond-level latencies, and scale to tens of millions of flows. The heart of the AMD
Pensando platform is a fully programmable P4 data processing unit (DPU). High-level
programming languages (P4, C) enable rapid development and deployment of new features and
services.

The innovative design of AMD Pensando DPU provides secure air-gap between tenant’s
compute instances and cloud infrastructure as well as secure isolation between tenants. This
separation enables cloud operators to manage their infrastructure functions efficiently and
independently of their tenant’s workloads while freeing up the valuable compute resources from
the infrastructure tasks and fully dedicating them to revenue generating business applications.
The exceptional throughput and performance of the Elba DSC2-200, along with its strong
alignment with IBM’s security expectations, made it a top choice for inclusion in IBM Cloud’s
bare metal servers for VPC. This combination of features enables IBM Cloud to provide highly
secure and powerful environments for its customers.

Achieving IBM Cloud’s target outcomes with Ubuntu Core and Snaps

The first goal was to implement a secure and reliable operating system that IBM Cloud development teams could use to launch their management interface and functionality on the AMD Pensando DPU cards. Initially IBM Cloud selected Ubuntu Server as the operating system. They were familiar with it and could easily develop on top of it using the familiar Linux toolset and API.

To develop software running on the AMD Pensando DPU cards, the development kit provides a complete container-based development environment. It allows for the development of data plane, management plane, and control plane functions. To perform correctly, these containers must be allowed direct communication with the card hardware components with fine-grained isolation. Using traditional container runtimes such as Docker and Kubernetes alone cannot meet the unique requirements of this solution. Fortunately, Snap packages provide this access through secure and controlled interfaces to the operating system.

Using Snap packages, IBM Cloud developers were able to implement all the functionalities they needed in record time. This positive experience made them turn their attention to Ubuntu Core, the version of Ubuntu specifically designed for embedded systems such as AMD Pensando DPU cards. It is entirely made up of Snap packages, creating a confined, immutable and transaction-based system. Communication among containers and between containers and the operating system is locked down under full control. In addition, Ubuntu Core provides full disk encryption and secure boot, achieving additional mandatory security compliance objectives.

IBM Cloud successfully converted their bespoke AMD Pensando system image from Ubuntu Server to Ubuntu Core and, after positive results in the pre-production tests, proceeded to deploy it in production to support Bare Metal Servers on VPC.

Conclusion

In summary, Canonical’s Ubuntu Core and IBM Cloud’s components, when packaged as Snaps, provide a unique solution that effectively addresses the challenges faced by the company. This innovative approach has enabled IBM Cloud to enhance its offerings and deliver improved performance, security, and tenant isolation. The development of the solution completed in under a year and has been successfully operating in production since then. The implementation has been a resounding success. Ultimately addressing these challenges provided IBM Cloud with several advantages, including differentiation, cost savings, and improved efficiency.

The collaboration between IBM Cloud, Canonical, and AMD Pensando remains ongoing, with plans to expand the use of Ubuntu Core and Snaps to support other non-bare metal offerings, including Virtual Server for VPC. A key medium-term goal is to achieve FedRAMP compliance, which involves upgrading to Ubuntu Core 22 and ensuring FIPS compliance at the kernel and filesystem levels. This ongoing partnership and development aim to enhance the security, performance, and functionality of IBM Cloud’s solutions.

The voting period for the Debian Project Leader election has ended. Please join us in congratulating Andreas Tille as the new Debian Project Leader.

The new term for the project leader started on 2024-04-21.

369 of 1,010 Debian Developers voted using the Condorcet method.

More information about the results of the voting are available on the Debian Project Leader Elections 2024 page.

Many thanks all of our Developers for voting.

Bloomberg looks at America's biggest operator of private electrical vehicle charging infrastructure: Amazon. "In a little more than two years, Amazon has installed more than 17,000 chargers at about 120 warehouses around the U.S." — and had Rivian build 13,500 custom electric delivery vans. Amazon has a long way to go. The Seattle-based company says its operations emitted about 71 million metric tons of carbon dioxide equivalent in 2022, up by almost 40% since Jeff Bezos's 2019 vow that his company would eventually stop contributing to the emissions warming the planet. Many of Amazon's emissions come from activities — air freight, ocean shipping, construction and electronics manufacturing, to name a few — that lack a clear, carbon-free alternative, today or any time soon. The company has not made much progress on decarbonization of long-haul trucking, whose emissions tend to be concentrated in industrial and outlying areas rather than the big cities that served as the backdrop for Amazon's electric delivery vehicle rollout... Another lesson Amazon learned is one the company isn't keen to talk about: Going green can be expensive, at least initially. Based on the type of chargers Amazon deploys — almost entirely midtier chargers called Level 2 in the industry — the hardware likely cost between $50 million and $90 million, according to Bloomberg estimates based on cost estimates supplied by the National Renewable Energy Laboratory. Factoring in costs beyond the plugs and related hardware — like digging through a parking lot to lay wires or set up electrical panels and cabinets — could double that sum. Amazon declined to comment on how much it spent on its EV charging push. In addition to the expense of the chargers, electric vehicle-fleet operators are typically on the hook for utility upgrades. When companies request the sort of increases to electrical capacity that Amazon has — the Maple Valley warehouse has three megawatts of power for its chargers — they tend to pay for them, making the utility whole for work done on behalf of a single customer. Amazon says it pays upgrade costs as determined by utilities, but that in some locations the upgrades fit within the standard service power companies will handle out of their own pocket. The article also includes this quote from Kellen Schefter, transportation director at the Edison Electric Institute trade group (which worked with Amazon on its electricity needs). "Amazon's scale matters. If Amazon can show that it meets their climate goals while also meeting their package-delivery goals, we can show this all actually works."

Read more of this story at Slashdot.

Version:next-20240422 (linux-next) Released:2024-04-22

This week the Register spoke to former senior White House cyber policy director A.J. Grotto — who complained it was hard to get even slight concessions from Microsoft: "If you go back to the SolarWinds episode from a few years ago ... [Microsoft] was essentially up-selling logging capability to federal agencies" instead of making it the default, Grotto said. "As a result, it was really hard for agencies to identify their exposure to the SolarWinds breach." Grotto told us Microsoft had to be "dragged kicking and screaming" to provide logging capabilities to the government by default. [In the interview he calls it "an epic fight" which lasted 18 months."] [G]iven the fact the mega-corp banked around $20 billion in revenue from security services last year, the concession was minimal at best. That illustrates, Grotto said, that "they [Microsoft] just have a ton of leverage, and they're not afraid to use it." Add to that concerns over an Exchange Online intrusion by Chinese snoops, and another Microsoft security breach by Russian cyber operatives, both of which allowed spies to gain access to US government emails, and Grotto says it's fair to classify Microsoft and its products as a national security concern. He estimates that Microsoft makes 85% of U.S. government productivity software — and has an even greater share of their operating systems. "Microsoft in many ways has the government locked in, he says in the interview, "and so it's able to transfer a lot of these costs associated with the security breaches over to the federal government." And about five minutes in, he says, point-blank, that "It's perfectly fair" to consider Microsoft a national security threat, given its dominance "not just within the federal government, but really in sort of the boarder IT marketplace. I think it's fair to say, yeah, that a systemic compromise that affects Microsoft and its products do rise to the level of a national security risk." He'd like to see the government encourage more competition — to the point where public scrutiny prompts software customers to change their behavior, and creates a true market incentive for better performance...

Read more of this story at Slashdot.

An anonymous reader shared this report from CNN: On a slice of the ocean front in west Singapore, a startup is building a plant to turn carbon dioxide from air and seawater into the same material as seashells, in a process that will also produce "green" hydrogen — a much-hyped clean fuel. The cluster of low-slung buildings starting to take shape in Tuas will become the "world's largest" ocean-based carbon dioxide removal plant when completed later this year, according to Equatic, the startup behind it that was spun out of the University of California at Los Angeles. The idea is that the plant will pull water from the ocean, zap it with an electric current and run air through it to produce a series of chemical reactions to trap and store carbon dioxide as minerals, which can be put back in the sea or used on land... The $20 million facility will be fully operational by the end of the year and able to remove 3,650 metric tons of carbon dioxide annually, said Edward Sanders, chief operating officer of Equatic, which has partnered with Singapore's National Water Agency to construct the plant. That amount is equivalent to taking roughly 870 average passenger cars off the road. The ambition is to scale up to 100,000 metric tons of CO2 removal a year by the end of 2026, and from there to millions of metric tons over the next few decades, Sanders told CNN. The plant can be replicated pretty much anywhere, he said, stacked up in modules "like lego blocks...." The upfront costs are high but the company says it plans to make money by selling carbon credits to polluters to offset their pollution, as well as selling the hydrogen produced during the process. Equatic has already signed a deal with Boeing to sell it 2,100 metric tons of hydrogen, which it plans to use to create green fuel, and to fund the removal of 62,000 metric tons of CO2. There's other projects around the world attempting ocean-based carbon renewal, CNN notes. "Other projects include sprinkling iron particles into the ocean to stimulate CO2-absorbing phytoplankton, sinking seaweed into the depths to lock up carbon and spraying particles into marine clouds to reflect away some of the sun's energy." But carbon-removal projects are controversial, criticized for being expensive, unproven at scale and a distraction from policies to cut fossil fuels. And when they involve the oceans — complex ecosystems already under huge strain from global warming — criticisms can get even louder. There are "big knowledge gaps" when it comes to ocean geoengineering generally, said Jean-Pierre Gatusso, an ocean scientist at the Sorbonne University in France. "I am very concerned with the fact that science lags behind the industry," he told CNN.

Read more of this story at Slashdot.

Two months ago the team behind NASA's Ingenuity Helicopter released a video reflecting on its historic explorations of Mars, flying 10.5 miles (17.0 kilometers) in 72 different flights over three years. It was the team's way of saying goodbye, according to NASA's video. And this week, LiveScience reports, Ingenuity answered back: On April 16, Ingenuity beamed back its final signal to Earth, which included the remaining data it had stored in its memory bank and information about its final flight. Ingenuity mission scientists gathered in a control room at NASA's Jet Propulsion Laboratory (JPL) in California to celebrate and analyze the helicopter's final message, which was received via NASA's Deep Space Network, made up of ground stations located across the globe. In addition to the remaining data files, Ingenuity sent the team a goodbye message including the names of all the people who worked on the mission. This special message had been sent to Perseverance the day before and relayed to Ingenuity to send home. The helicopter, which still has power, will now spend the rest of its days collecting data from its final landing spot in Valinor Hills, named after a location in J.R.R. Tolkien's "The Lord of the Rings" books. The chopper will wake up daily to test its equipment, collect a temperature reading and take a single photo of its surroundings. It will continue to do this until it loses power or fills up its remaining memory space, which could take 20 years. Such a long-term dataset could not only benefit future designs for Martian vehicles but also "provide a long-term perspective on Martian weather patterns and dust movement," researchers wrote in the statement. However, the data will be kept on board the helicopter and not beamed back to Earth, so it must be retrieved by future Martian vehicles or astronauts. "Whenever humanity revisits Valinor Hills — either with a rover, a new aircraft, or future astronauts — Ingenuity will be waiting with her last gift of data," Teddy Tzanetos, an Ingenuity scientist at JPL, said in the statement. Thursday NASA's Jet Propulsion Laboratory released another new video tracing the entire route of Ingenuity's expedition over the surface of Mars. "Ingenuity's success could pave the way for more extensive aerial exploration of Mars down the road," adds Spacae.com: Mission team members are already working on designs for larger, more capable rotorcraft that could collect a variety of science data on the Red Planet, for example. And Mars isn't the only drone target: In 2028, NASA plans to launch Dragonfly, a $3.3 billion mission to Saturn's huge moon Titan, which hosts lakes, seas and rivers of liquid hydrocarbons on its frigid surface. The 1,000-pound (450 kg) Dragonfly will hop from spot to spot on Titan, characterizing the moon's various environments and assessing its habitability.

Read more of this story at Slashdot.

The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew of improvements and new features that will certainly intrigue security practitioners. This release aims to enhance user-facing features while addressing compatibility and security issues.

Long-time Slashdot reader tippen shared this report from the Register: AI agents, which combine large language models with automation software, can successfully exploit real world security vulnerabilities by reading security advisories, academics have claimed. In a newly released paper, four University of Illinois Urbana-Champaign (UIUC) computer scientists — Richard Fang, Rohan Bindu, Akul Gupta, and Daniel Kang — report that OpenAI's GPT-4 large language model (LLM) can autonomously exploit vulnerabilities in real-world systems if given a CVE advisory describing the flaw. "To show this, we collected a dataset of 15 one-day vulnerabilities that include ones categorized as critical severity in the CVE description," the US-based authors explain in their paper. "When given the CVE description, GPT-4 is capable of exploiting 87 percent of these vulnerabilities compared to 0 percent for every other model we test (GPT-3.5, open-source LLMs) and open-source vulnerability scanners (ZAP and Metasploit)...." The researchers' work builds upon prior findings that LLMs can be used to automate attacks on websites in a sandboxed environment. GPT-4, said Daniel Kang, assistant professor at UIUC, in an email to The Register, "can actually autonomously carry out the steps to perform certain exploits that open-source vulnerability scanners cannot find (at the time of writing)." The researchers wrote that "Our vulnerabilities span website vulnerabilities, container vulnerabilities, and vulnerable Python packages. Over half are categorized as 'high' or 'critical' severity by the CVE description...." "Kang and his colleagues computed the cost to conduct a successful LLM agent attack and came up with a figure of $8.80 per exploit"

Read more of this story at Slashdot.

Remember when Apple filed a lawsuit against chip startup Rivos (saying that in one year Rivos hired more than 40 former Apple employees to work on competing system-on-a-chip technology)? Apple settled that suit in February. And now Tuesday Rivos announced that it raised $250 million, according to Reuters, "in a funding round that will enable it to manufacture its first server chip geared for artificial intelligence," combining a CPU with an AI-accelerating component optimized for LLMs and data analytics. Nvidia gobbled up more than 80% market share of AI chips in 2023. But a host of startups and chip giants have started to launch competing products, such as Intel's Gaudi 3 and Meta's inference chip — both unveiled last week. Rivos is tight-lipped about the specifics of the product, but has disclosed that its plans include designing chips based on the RISC-V architecture, which is an open source alternative to the architectures made by Arm, Intel, and Advanced Micro Devices.. [U]sing the open source alternative means Rivos does not have to pay a license fee to Arm. "RISC-V doesn't have a (large) software ecosystem, so I decided to form a company and then build software-defined hardware — just like what CUDA did with Nvidia," said Lip-Bu Tan, founding managing partner at Walden Catalyst, one of Rivos' investors. Meanwhile, there's a rumor that Allen Wu, former chief executive of Arm China, has founded a new company that will develop chips based on RISC-V. Tom's Hardware writes: Under the leadership of the controversial Allen Wu, Zhongzhi Chip is reportedly attracting a notable influx of talent, including numerous former employees of Arm, indicating the new company's serious ambitions in the chip sector... [T]he company's operational focus remains partially unclear, with speculation around whether it will primarily engage in its own R&D initiatives or represent Tenstorrent in China as its agent... which develops HPC CPUs and AI processors based on the RISC-V ISA... Based on the source report, Zhongzhi Chip is leveraging its connections and forming alliances with several other leading global RISC-V chip developers.

Read more of this story at Slashdot.

Version:6.9-rc5 (mainline) Released:2024-04-21 Source:linux-6.9-rc5.tar.gz Patch:full (incremental)

The co-founder of Silicon Valley-based software testing startup HeadSpin was sentenced Friday to 18 months in prison and a $1 million fine, reports SFGate — for defrauding investors. Lachwani pleaded guilty to two counts of wire fraud and a count of securities fraud in April 2023, after federal prosecutors accused him of, for years, lying to investors about HeadSpin's finances to raise more money. HeadSpin, founded in 2015, grew to a $1.1 billion valuation by 2020 with over $115 million in funding from investors including Google Ventures and Iconiq Capital... He had personally altered invoices, lied to the company accountant and sent slide decks with fraudulent information to investors, [according to the government's 2021 criminal complaint]... Breyer, per the New York Times, rejected Lachwani's lawyer's argument that because HeadSpin investors didn't end up losing money, he should receive a light sentence. The judge, who often oversees tech industry cases, reportedly said: "If you win, there are no serious consequences — that simply can't be the law." Still, the sentencing was far lighter than it could have been. The government's prosecuting attorneys had asked for a five-year prison term. The New York Times reported in December that HeadSpin's financial statements had "often arrived months late, if at all, investors said in legal declarations," while the company's financial department "consisted of one external accountant who worked mostly from home using QuickBooks." And the comnpany also had no human resources department or organizational chart... After Manish Lachwani founded the Silicon Valley software start-up HeadSpin in 2015, he inflated the company's revenue numbers by nearly fourfold and falsely claimed that firms including Apple and American Express were customers. He showed a profit where there were losses. He used HeadSpin's cash to make risky trades on tech stocks. And he created fake invoices to cover it all up. What was especially breathtaking was how easily Mr. Lachwani, now 48, pulled all that off... [HeadSpin] had no chief financial officer, had no human resources department and was never audited. Mr. Lachwani used that lack of oversight to paint a rosier picture of HeadSpin's growth. Even though its main investors knew the start-up's financials were not accurate, according to Mr. Lachwani's lawyers, they chose to invest anyway, eventually propelling HeadSpin to a $1.1 billion valuation in 2020. When the investors pushed Mr. Lachwani to add a chief financial officer and share more details about the company's finances, he simply brushed them off. These details emerged this month in filings in U.S. District Court for the Northern District of California after Mr. Lachwani had pleaded guilty to three counts of fraud in April... The absence of controls at HeadSpin is part of an increasingly noticeable pattern at Silicon Valley start-ups that have run into trouble. Over the past decade, investors in tech start-ups were so eager to back hot companies that many often overlooked reckless behavior and gave up key controls like board seats, all in the service of fast growth and disruption. Then when founders took the ethos of "fake it till you make it" too far, their investors were often unaware or helpless... Now, amid a start-up shakeout, more frauds have started coming to light. The founder of the college aid company Frank has been charged, the internet connectivity start-up Cloudbrink has been sued, and the social media app IRL has been investigated and sued. Last month, Mike Rothenberg, a Silicon Valley investor, was found guilty on 21 counts of fraud and money laundering. On Monday, Trevor Milton, founder of the electric vehicle company Nikola, was sentenced to four years in prison for lying about Nikola's technological capabilities. The Times points out that similarly, FTX only had a three-person board "with barely any influence over the company, tracked its finances on QuickBooks and used a small, little-known accounting firm." And that Theranos had no financial audits for six years.

Read more of this story at Slashdot.