Slashdot

Do you prefer Windows, Mac, or Linux?

Thousands of Palo Alto Networks Firewalls Compromised This Week After Critical Security Hole: Palo Alto Networks boasts 70,000 customers in 150 countries, including 85% of the Fortune 500. But this week "thousands of Palo Alto Networks firewalls were compromised by attackers exploiting two recently patched security bug," reports the Register: The intruders were able to deploy web-accessible backdoors to remotely control the equipment as well as cryptocurrency miners and other malware. Roughly 2,000 devices had been hijacked as of Wednesday — a day after Palo Alto Networks pushed a patch for the holes — according to Shadowserver and Onyphe. As of Thursday, the number of seemingly compromised devices had dropped to about 800. The vendor, however, continues to talk only of a "limited number" of exploited installations... The Register has asked for clarification, including how many compromised devices Palo Alto Networks is aware of, and will update this story if and when we hear back from the vendor. Rumors started swirling last week about a critical security hole in Palo Alto Networks appliances that allowed remote unauthenticated attackers to execute arbitrary code on devices. Exploitation requires access to the PAN-OS management interface, either across the internet or via an internal network. The manufacturer did eventually admit that the firewall-busting vulnerability existed, and had been exploited as a zero-day — but it was still working on a patch. On Tuesday, PAN issued a fix, and at that time said there were actually two vulnerabilities. The first is a critical (9.3 CVSS) authentication bypass flaw tracked as CVE-2024-0012. The second, a medium-severity (6.9 CVSS) privilege escalation bug tracked as CVE-2024-9474. The two can be chained together to allow remote code execution (RCE) against the PAN-OS management interface... once the attackers break in, they are using this access to deploy web shells, Sliver implants, and/or crypto miners, according to Wiz threat researchers. Read more of this story at Slashdot.

Flamewar Leads to Declining of Bcachefs Pull Requests During Linux 6.13 Kernel Development Cycle: "Get your head examined. And get the fuck out of here with this shit." That's how Bcachefs developer Kent Overstreet ended a post on the Linux kernel mailing list. This was followed by "insufficient action to restore the community's faith in having otherwise productive technical discussions without the fear of personal attacks," according to an official ruling by committee enforcing the kernel community's code of conduct. After formalizing an updated enforcement process for unacceptable behaviors, it then recommended that during the Linux 6.13 kernel development cycle, Overstreet's participation should be restricted (with his pull requests declined). Phoronix covered their ruling, and ItsFOSS and The Register offer some of the backstory. Overstreet had already acknowledged that "Things really went off the rails (and I lost my cool, and earned the ire of the CoC committee)" in a 6,200-word blog post on his Patreon page. But he also emphasized that "I'm going to keep writing code no matter what. Things may turn into more of a hassle to actually get the code, but people who want to keep running bcachefs will always be able to (that's the beauty of open source, we can always fork), and I will keep supporting my users..." More excerpts from Overstreet's blog post: I got an emails from multiple people, including from Linus, to the effect of "trust me, you don't want to be known as an asshole — you should probably send him an apology"... Linus is a genuinely good guy: I know a lot of people reading this will have also seen our pull request arguments, so I specifically wanted to say that here: I think he and I do get under each other's skin, but those arguments are the kind of arguments you get between people who care deeply about their work and simply have different perspectives on the situation... [M]y response was to say "no" to a public apology, for a variety of reasons: because this was the result of an ongoing situation that had now impacted two different teams and projects, and I think that issue needs attention — and I think there's broader issues at stake here, regarding the CoC board. But mostly, because that kind of thing feels like it ought to be kept personal... I'd like a better process that isn't so heavy handed for dealing with situations where tensions rise and communications break down. As for that process: just talk to people... [W]e're a community. We're not interchangeable cogs to be kicked out and replaced when someone is "causing a problem", we should be watching out for each other... Another note that I was raising with the CoC is that a culture of dismissiveness, of finding ways to avoid the technical discussions we're supposed to be having, really is toxic, and moreso than mere flamewars... we really do need to be engaging properly with each other in order to do our work well. After the official response from the committee,

Craigslist Founder Gives $300M to Fund Critical US Infrastructure Cybersecurity: Craig Newmark "is alarmed about potential cybersecurity risks in the U.S.," according to Yahoo Finance. The 71-year-old Craigslist founder says "our country is under attack now" in a new interview with Yahoo Finance executive editor Brian Sozzi on his Opening Bid podcast. But Newmark also revealed what he's doing about it: [H]e started Craig Newmark Philanthropies to primarily invest in projects to protect critical American infrastructure from cyberattacks. He told Sozzi he is now spending $200 million more to address the issue, on top of an initial $100 million pledge revealed in September of this year. He encouraged other wealthy people to join him in the fight against cyberattacks. "I tell people, 'Hey, the people who protect us could use some help. The amounts of money comparatively are small, so why not help out,'" he said... The need for municipalities and other government entities to act rather than react remains paramount, warns Newmark. "I think a lot about this," said Newmark. "I've started to fund networks of smart volunteers who can help people protect infrastructure, particularly [for] the small companies and utilities across the country who are responsible for most of our electrical and power supplies, transportation infrastructure, [and] food distribution.... A lot of these systems have no protection, so an adversary could just compromise them, saying unless you do what we need, we can start shutting off these things," he continued. Should that happen, recovery "could take weeks and weeks without your water supply or electricity." A web page at Craig Newmark Philanthropies offers more details Craig was part of the whole "duck and cover" thing, in the 50s and 60s, and realizes that we need civil defense in the cyber domain, "cyber civil defense." This is patriotism, for regular people. He's committed $100 million to form a Cyber Civil Defense network of groups who are starting to protect the country from cyber threats. Attacks on our power grids, our cyber infrastructure and even the internet-connected gadgets and appliances in our homes are real. If people think that's alarmist, tell them to "Blame Craig." The core of Cyber Civil Defense [launched in 2022] includes groups like Aspen Digital, Global Cyber Alliance, and Consumer Reports, focusing on citizen cyber education and literacy, cyber tool development, and cybersecurity workforce programs aimed at diversifying the growing field. It's already made significant investments in groups like the Ransomware Task Force and threat watchdog group Shadowserver Foundation... Read more of this story at Slashdot.

Solar Glut: Half of California's Solar Power Sometimes Goes to Waste, Research Shows: Some days more than half of California's available solar power goes to waste, according to research from the California Institute for Energy and Environment. "In the last 12 months, California's solar farms have curtailed production of more than 3 million megawatt hours of solar energy," according to a data analysis by the Los Angeles Times — enough to power 518,000 California homes for a year. And it was curtailed "either on the orders of the state's grid operator or because prices had plummeted because of the glut. The waste would have been even larger if California had not paid utilities in other states to take the excess solar energy, documents from the state's grid operator show." That means green energy paid for by California electricity customers is sent away, lowering bills for residents of other states. Arizona's largest public utility reaped $69 million in savings last year by buying from the market California created to get rid of its excess solar power. The utility returned that money to its customers as a credit on their bills. Also reaping profits are electricity traders, including banks and hedge funds. The increasing oversupply of solar power has created a situation where energy traders can buy the excess at prices so low they become negative, said energy consultant Gary Ackerman, the former executive director of the Western Power Trading Forum. That means the solar plant is paying the traders to take it. "This is all being underwritten by California ratepayers," Ackerman said... The solar glut also means higher electricity bills for Californians, since they are effectively paying to generate the power but not using it. California's electric rates are roughly twice the nation's average, with only Hawaii having higher rates. Rates at Southern California Edison and Pacific Gas & Electric increased by 51% over the last three years. "Ratepayers aren't getting the energy they've paid for," said Ron Miller, an energy industry consultant in Denver. He calculates that the retail value of the solar energy thrown away in a year would be more than $1 billion. Gov. Gavin Newsom's advisors and those who manage the state's electric grid say they are working to reduce the curtailments, including by building more industrial-scale battery storage facilities that soak up the excess solar power during the day and then release it at night. Officials in the governor's office declined to be interviewed, but issued a statement saying the curtailments are often because of congestion on transmission lines, rather than a statewide oversupply of power. The state has been spending heavily to upgrade transmission lines to ease the congestion. "It's also important to have extra energy resources available that can help the state during periods of extreme weather and historic heatwaves when demand is particularly high, which have happened the past few years," the statemen

World Agrees on $300B Climate Aid Financial Deal - After COP29 Summit 'Nearly Implodes': "At points there was fear the talks would implode, as groups representing vulnerable small island states and the least-developed countries walked out of negotiations Saturday," according to a new report from CNN. But after weeks of international climate talks at COP29, "the world agreed to a new climate deal... "with wealthy countries pledging to provide $300 billion annually by 2035 to poorer countries to help them cope with the increasingly catastrophic impacts of the climate crisis." The amount pledged, however, falls far short of the $1.3 trillion economists say is needed to help developing countries cope with a climate crisis they have done least to cause — and there has been a furious reaction from many developing countries. a fiery speech immediately after the gavel went down, India's representative Chandni Raina slammed the $300 billion as "abysmally poor" and a "paltry sum," calling the agreement "nothing more than an optical illusion" and unable to "address the enormity of the challenge we all face." Others were equally damning in their criticism. We are leaving with a small portion of the funding climate-vulnerable countries urgently need," said Tina Stege, Marshall Islands climate envoy. Stege heavily criticized the talks as showing the "very worst of political opportunism." Fossil fuel interests "have been determined to block progress and undermine the multilateral goals we've worked to build," she said in a statement... There was also a push for richer emerging economies such as China and Saudi Arabia to contribute to the climate funding package, but the agreement only "encourages" developing countries to make voluntary contributions, and places no obligations on them... Saudi Arabia, the world's top oil exporter, which has pushed against ambitious action at past climate summits, seemed even more emboldened in Baku, publicly and explicitly rejecting any reference to oil, coal and gas in the deal. The package "is also being criticised as short-sighted from the richer world's perspective," notes the BBC: The argument runs that if you want to keep the world safe from rising temperatures, then wealthier nations need to help emerging economies cut their emissions, because that is where 75% of the growth in emissions has occurred in the past decade. But "Delegations more optimistic about the agreement said this deal is headed in the right direction," writes the Associated Press, "with hopes that more money flows in the future." The text included a call for all parties to work together using "all public and private sources" to get closer to the $1.3 trillion per year goal by 2035. That means also pushing for international mega-banks, funded by taxpayer dollars, to help foot the bill. And it means, hopefully, that companies and private investors will follow suit on channeling cash toward climate action. The agreement is also a critical step to

Microsoft's Controversial 'Recall' Feature is Already Experiencing Some Issues: Microsoft's controversial "Recall" feature (in a public preview of Windows 11) already has some known issues, Microsoft admitted Friday. For example: - Recall can be enabled or disabled from "Turn Windows features on or off". We are caching the Recall binaries on disk while we test add/remove. In a future update we will completely remove the binaries. - You must have Secure Boot enabled for Recall to save snapshots. - Some users experience a delay before snapshots first appear in the timeline while using their device. If snapshots do not appear after 5 minutes, reboot your device. If saving snapshots is enabled, but you see snapshots are no longer being saved, reboot your device. - Clicking links within Recall to submit feedback may experience a delay in loading the Feedback Hub application. Be patient and it will display. CNBC adds that according to Microsoft Recall "won't work with some accessibility programs, and if you specify that Recall shouldn't save content from a given website, it might get captured anyway while using the built-in Edge browser..." But those aren't the only issues CNBC noticed: - While you might expect that your computer will be recording every last thing you look at once you've turned on Recall, it can go several minutes between making snapshots, leaving gaps in the timeline. - Recall allows you to prevent screenshots from being made when you're accessing specific apps. But a few apps installed on my Surface Pro are not shown on that list. - When you enter a search string to find words, results might be incomplete or incorrect. Recall clearly had two screen images that mention "Yankees," but when I typed that into the search box, only one of them came up as a text match. I typed in my last name, which appeared in eight images, but Recall produced just two text matches. - Recall made a screenshot while I was scrolling through posts on social network BlueSky, and one contains a photo of a New York street scene. You can see a stoplight, a smokestack and street signs. I typed each of those into the search box, but Recall came up with no results... - The search function is fast, but flipping through snapshots in Recall is not. It can take a couple of seconds to load screenshots as you swipe between them. Read more of this story at Slashdot.

Coding Boot Gamp Graduates Find tough Prospects In an AI-Powered World: An anonymous reader shared this report from the New York Times: Between the time [construction worker Florencio] Rendon applied for the coding boot camp and the time he graduated, what Mr. Rendon imagined as a "golden ticket" to a better life had expired. About 135,000 start-up and tech industry workers were laid off from their jobs, according to one count. At the same time, new artificial intelligence tools like ChatGPT, an online chatbot from OpenAI, which could be used as coding assistants, were quickly becoming mainstream, and the outlook for coding jobs was shifting. Mr. Rendon says he didn't land a single interview. Coding boot camp graduates across the country are facing a similarly tough job market. In Philadelphia, Mal Durham, a lawyer who wanted to change careers, was about halfway through a part-time coding boot camp late last year when its organizers with the nonprofit Launchcode delivered disappointing news. "They said: 'Here is what the hiring metrics look like. Things are down. The number of opportunities is down,'" she said. "It was really disconcerting." In Boston, Dan Pickett, the founder of a boot camp called Launch Academy, decided in May to pause his courses indefinitely because his job placement rates, once as high as 90 percent, had dwindled to below 60 percent. "I loved what we were doing," he said. "We served the market. We changed a lot of lives. The team didn't want that to turn sour." Compared with five years ago, the number of active job postings for software developers has dropped 56 percent, according to data compiled by CompTIA. For inexperienced developers, the plunge is an even worse 67 percent. "I would say this is the worst environment for entry-level jobs in tech, period, that I've seen in 25 years," said Venky Ganesan, a partner at the venture capital firm Menlo Ventures. A Stack Overflow survey of 65,000 developers found that 60% had used AI coding tools this year, the article points out. And it includes two predictions about the future: Armando Solar-Lezama, leader of MIT's Computer-Assisted Programming Group, "believes that A.I. tools are good news for programming careers. If coding becomes easier, he argues, we'll just make more, better software. We'll use it to solve problems that wouldn't have been worth the hassle previously, and standards will skyrocket." Zach Sims, a co-founder of Codecademy, said of the job prospects for coding boot camp graduates" "I think it's pretty grim." Read more of this story at Slashdot.

Unpublished Slashdot Submission Dragged Into Reddit Drama About C++ Paper's Title: Reddit's moderators drew some criticism after "locking" a discussion about C++ paper and proposal author Andrew Tomazos. The URL for the story with the locked discussion had led to a submission to Slashdot's queue of potential (but unpublished) stories, which nevertheless attracted 178 upvotes on Reddit and another 85 comments. That unpublished Slashdot submission was also submitted to Hacker News, where it drew another 38 upvotes but was also eventually flagged. Back on Reddit's C++ subreddit (which has 300,000 members), a "direct appeal" was submitted to the moderators to unlock Reddit's earlier discussion (drawing over 100 upvotes). But there's one problem with this drama, as Slashdot reader brantondaveperson pointed out. "There appears to be no independent confirmation of this story anywhere. The only references to it are this slashdot story, and a reddit story. Neither cite sources or provide evidence." This drew a response from the person submitting the potential story to Slashdot: You raise a valid point. The communication around this was private. The complaint about the [paper's] title, the author's response, and the decision to expel were all communicated by either private email, on private mailing lists or in private in-person meetings. These private communications could be quoted by participants in said communications. Please let us know if that would be sufficient. The paper had already drawn some criticism in a longer blog post by programmer Izzy Muerte (which called it "a fucking cleaned up transcript of a ChatGPT conversation".) It's one of six papers submitted this yearLinkedIn profile) is "lead programmer" of videogame company Fury Games (founded by him and his wife). It also shows an earlier two-year stint as a Google senior software engineer, which overlaps his time as a contributor (from 2012 to 2018) to the C++ programming language. There were people claiming direct knowledge of the situation posting on Reddit. A user named kritzikratzi posted: I contacted Andrew Tomazos directly. According to him the title "The Undefined Behavior Question" caused complaints inside WG21. The Standard C++ Foundation then offered two choices (1) change the paper title (2) be expelled. Andrew Tomazos chose (2). A Reddit user Dragdu posted: He wasn't expelled for that paper, but rather this was the last straw. And he wasn't banned from the [WG21] committee, that is borderline impossible, but rather the organization he was representing told him to fuck off and don't represent them anymore. If he can find different organization to represent, he can still attend... Tomazos has been on lot of people's shit list, because his contributions suck... He decided that the title is too important to his ViSiOn for the chatgpt BS submitted as a paper, and that he won't change the title. This was the straw that broke the camel's back and his "sponsor" told him to fuck of

Is There New Evidence in the D.B. Cooper Case?: On November 24th, 1971 — 53 years ago today — a mysterious man jumped out of an airplane clutching $200,000 in ransom money. (He'd extorted it from the airline by claiming he had a bomb, and it's still "the only unsolved case of air piracy in the history of commercial aviation," according to Wikipedia.) Will modern technology finally let us solve the case — or just turn it into a miniseries on Netflix? And have online researchers finally discovered the definitive clue? The FBI vetted more than 800 suspects, according to the Wyoming news site Cowboy State Daily, but in 2016 announced they were suspending their active investigation. So it's newsworthy that the FBI now appears to be investigating new evidence, according to an amateur D.B. Cooper researcher on YouTube: the discovery of what's believed to be D.B. Cooper's uniquely-modified parachute: Retired pilot, skydiver and YouTuber, Dan Gryder told Cowboy State Daily that he may have found the missing link after uncovering the modified military surplus bailout rig he believes was used by D.B. Cooper in the heist. It belonged to Richard Floyd McCoy II, and was carefully stored in his deceased mother's storage stash until very recently... McCoy's children, Chanté and Richard III, or "Rick," agree with Gryder that they believe their father was D.B. Cooper, a secret that shrouded the family but wasn't overtly discussed. For years, they said, the family stayed mum out of fear of implicating their mother, Karen, whom they believe was complicit in both hijackings. Upon her death in 2020, they broke their silence to Gryder after being contacted by him off and on for years. Gryder, who has been researching the case for more than 20 years, documented his investigation in a lengthy two-part series on his YouTube channel, "Probable Cause," in 2021 and 2022, where he connects the dots and shows actual footage of him finding the parachute in an outbuilding on the McCoy family property in North Carolina in July 2022. On Monday, Gryder released a third video, "D.B. Cooper: Deep FBI Update," where he announced the FBI's new and very recent efforts in his discoveries. After watching his first two videos, Gryder said FBI agents contacted Rick and Gryder to see the parachute. It was the first investigative move by the agency since issuing the 2016 public statement, declaring the case closed pending new evidence. Gryder and Rick McCoy traveled to Richmond, Virginia, in September 2023, where they met with FBI agents, who took the harness and parachute into evidence along with a skydiving logbook found by Chanté that aligned with the timeline for both hijackings, providing another vital piece in the puzzle, Gryder said.... During the meeting, Gryder said the agents called it a first step. If the evidence proved fruitless, they would have promptly returned the skydiving rig, he said, but that didn't happen. Instead, an FBI agent called Rick a month later to ask to s