Submission + - Vendors Slowly Patch Critical MegaRAC Flaw (networkworld.com)

Submitted by itwbennett
itwbennett writes: From the Network World article:

Weeks after BIOS developer AMI released an update fixing a critical vulnerability in its MegaRAC baseband management controller (BMC) firmware used in many enterprise servers and storage systems, OEM patches addressing the issue are slowly trickling out.

The latest vendor to release patches was Lenovo, which appears to have taken until April 17 to release its patch. And although Asus patches for four motherboard models appeared only this week, the exact time these were posted is unconfirmed; the dates on the updates range from March 12 to March 28.

Among the first to release a patch was Hewlett Packard Enterprise (HPE), which on March 20 released an update for its HPE Cray XD670, used for AI and high-performance computing (HPC) workloads. Other OEMs known to use AMI’s MegaRAC BMC include AMD, Ampere Computing, ASRock, ARM, Fujitsu, Gigabyte, Huawei, Nvidia, Supermicro, and Qualcomm.

Submission + - China shares rare Moon rocks (bbc.co.uk)

Submitted by AmiMoJo
AmiMoJo writes: China will let scientists from six countries, including the US, examine the rocks it collected from the Moon — a scientific collaboration that comes as the two countries remain locked in a bitter trade war.

Two Nasa-funded US institutions have been granted access to the lunar samples collected by the Chang'e-5 mission in 2020, the China National Space Administration (CNSA) said on Thursday.

CNSA chief Shan Zhongde said that the samples were "a shared treasure for all humanity," local media reported.

Chinese researchers have not been able to access Nasa's Moon samples because of restrictions imposed by US lawmakers on the space agency's collaboration with China.

Under the 2011 law, Nasa is banned from collaboration with China or any Chinese-owned companies unless it is specifically authorised by Congress.

But John Logsdon, the former director of the Space Policy Institute at George Washington University, told BBC Newshour that the latest exchange of Moon rocks have "very little to do with politics".

While there are controls on space technology, the examination of lunar samples had "nothing of military significance", he said.

"It's international cooperation in science which is the norm."

Submission + - Perplexity CEO Says Its Browser Will Track Everything Users Do To Sell Ads (techcrunch.com)

Submitted by Anonymous Coward
An anonymous reader writes: Perplexity CEO Aravind Srinivas said this week on the TBPN podcast that one reason Perplexity is building its own browser is to collect data on everything users do outside of its own app. This so it can sell premium ads. “That’s kind of one of the other reasons we wanted to build a browser, is we want to get data even outside the app to better understand you,” Srinivas said. “Because some of the prompts that people do in these AIs is purely work-related. It’s not like that’s personal.”

And work-related queries won’t help the AI company build an accurate-enough dossier. “On the other hand, what are the things you’re buying; which hotels are you going [to]; which restaurants are you going to; what are you spending time browsing, tells us so much more about you,” he explained. Srinivas believes that Perplexity’s browser users will be fine with such tracking because the ads should be more relevant to them. “We plan to use all the context to build a better user profile and, maybe you know, through our discover feed we could show some ads there,” he said. The browser, named Comet, suffered setbacks but is on track to be launched in May, Srinivas said.

Submission + - 50+ House Democrats demand answers after whistleblower report on DOGE (npr.org) 1

Submitted by echo123
echo123 writes: Over fifty Democratic lawmakers have signed a letter demanding answers from senior U.S. government officials about a recent potential exposure of sensitive data about American workers.

The letter is addressed to the acting General Counsel of the National Labor Relations Board, William Cowen. The independent agency is in charge of investigating and adjudicating complaints about unfair labor practices and protecting U.S. workers' rights to form unions.

The lawmakers, who are part of the Congressional Labor Caucus, wrote the letter in light of news first reported by NPR, that a whistleblower inside the IT Department of the NLRB says DOGE may have removed sensitive labor data and exposed NLRB systems to being compromised.

"These revelations from the whistleblower report are highly concerning for a number of reasons," the lawmakers wrote in the letter to Cowen. "If true, these revelations describe a reckless approach to the handling of sensitive personal information of workers, which could leave these workers exposed to retaliation for engaging in legally protected union activity."

The letter refers to an official whistleblower disclosure made by Daniel Berulis, a cloud administrator in the IT department of the NLRB, who also spoke to NPR in multiple interviews.

In his disclosure, Berulis shared that he initially became concerned in March when members of President Donald Trump's Department of Government Efficiency initiative arrived at the agency and demanded high-level access to the systems without their activities being logged. Those fears escalated after he tracked a large chunk of data leaving the agency at the same time as many security controls and auditing tools were turned off, the disclosure continues.

Ultimately, Berulis became concerned that DOGE, which is effectively led by Trump adviser and billionaire CEO Elon Musk, could have accessed sensitive internal information about ongoing investigations into U.S. companies, witness affidavits and even corporate secrets. The alleged insecure practices and removal of data could also create vulnerabilities for criminal hackers or foreign adversaries to exploit, Berulis explained in his official disclosure.

Submission + - The CVE database almost wasgone. Now 11 months left (theregister.com)

Submitted by gavron
gavron writes: The CVE list contains over 25 years of security vulnerabilities. Stephen J Vaughn-Nichols explains why it's important to ALL countries and ALL ITSEC people. It also almost just went away when rabid DOGGIES tried to cut it.

It also only has 11 months left to live based on funding, so FDJT may try and cripple it again. It helps EVERYONE and only hurts blackhat hackers. Unfortunately nobody in Congress understands anything technical (except for Ron Widen) and they're too busy dismantling their own least favorite part (CDA Sec 230) to worry about this.

Meanwhile the US FBI, UK, and NZ equivs say we should have back doors in encryption.

CVEs are important. This should not be defunded. Call up the office of that idiot in your district and tell their PA that.

Submission + - Hackers can now bypass Linux security thanks to terrifying new Curing rootkit (betanews.com)

Submitted by BrianFagioli
BrianFagioli writes: ARMO, the company behind Kubescape, has uncovered what could be one of the biggest blind spots in Linux security today. The company has released a working rootkit called âoeCuringâ that uses io_uring, a feature built into the Linux kernel, to stealthily perform malicious activities without being caught by many of the detection solutions currently on the market.

At the heart of the issue is the heavy reliance on monitoring system calls, which has become the go-to method for many cybersecurity vendors. The problem? Attackers can completely sidestep these monitored calls by leaning on io_uring instead. This clever method could let bad actors quietly make network connections or tamper with files without triggering the usual alarms.

Submission + - Tariffs May Finally Make Recycling Rare Earth Elements Pay Off (networkworld.com)

Submitted by itwbennett
itwbennett writes: Computerworld reports that Western Digital and Microsoft are testing ways to recover precious materials from old servers. “A new advanced sorting ecosystem with an eco-friendly non-acid process not only recaptures essential rare earth elements but also extracts metals like gold, copper, aluminum, and steel, feeding them back into the US supply chain,” Western Digital said in a statement. This part isn't new. What's new is the math. Thanks to Trump's tariff war and 'moves by China to halt the export of bismuth, which might hold the key to future faster and more efficient semiconductors,' the few dollars' worth of materials in one server might be enough ROI to make it worthwhile. Gartner analyst Autumn Stanish is positive about the Western Digital news, but advises caution. 'This seems, based on the public information, far from the volume and scale to achieve the independence and carbon savings potential presented,' she said.

Submission + - Censorship and fraud driving creators away from YouTube 1

Submitted by NewtonsLaw
NewtonsLaw writes: When YouTuber Bruce Simpson received notification of a community guidelines infringement on his xjet YouTube channel he wasn't happy. YouTube alleges that one of his videos constitutes "hate speech" and even after review, the platform stands by its allegations.

What was the video that risks inciting hate and violence to such an extent that it needed to be removed, even after "appeal"?

Well it wasn't anything political, ideological or even violent. It was a two minute video of a radio controlled model aircraft flying in the skies at his local airfield in Tokoroa, New Zealand.

Incensed by this baseless allegation, Simpson posted this video to YouTube and within a few hours it had already gathered tens of thousands of views and over a thousand comments. Those comments make for great reading and show just how "out of touch" YouTube has become with its target audience and its creators.

The hypocrisy is also highlighted, as Simpson points out just how YouTube is prepared to overlook or even support frauds being perpetrated on its audience by way of scam advertisements that continue to play weeks or even months after they've been reported by countless people, many of who have become victims of the scams.

Has YouTube lost its way? Has it forgotten its roots? Are many creators now turning to self-hosting in reaction to ridiculous levels of censorship?

Or do we have a reverse adpocalypse — where content creators are shunning YouTube because they do not want their content being run alongside fraudulent scammy ads placed by YouTube?

Submission + - Taiwan Drone Alliance Quadruples Size, Fortifies Supply Chain (aviationweek.com)

Submitted by schwit1
schwit1 writes:

Taiwan’s state-backed drone industry alliance has grown from 50 members at its September 2024 inception to more than 200 today and is expeditiously decoupling from China-based supply chains, Chairman Hu Kai-Hung tells Aviation Week.

Hu, who also serves as the chairman of Taiwan’s Aerospace Industrial Development Corporation (AIDC), says that the drone alliance is laser-focused on creating a “non-red supply chain”—the red referring to China—to align with the requirements of the U.S., which has flagged the security threats posed by Chinese drones.

Members of the Taiwan Excellence Drone International Business Opportunities Alliance (Tediboa) are required to prove the origin of their components, Hu says.

USA should be doing the same.

Related: Drones now account for 80% of casualties in Ukraine-Russia war.

That's remarkable. Artillery — the previous champ — topped out last century at 60-70% of casualties, depending on the war.

Submission + - China builds Thorium reactor based on abandoned US design (interestingengineering.com)

Submitted by xanthos
xanthos writes: China has built an experimental 2 MW working thorium reactor in the Gobi desert using declassified US documents from the early 60's.

Thorium Salt reactors are safer (think lava vs explosive steam), less radioactive, and the scientists involved were able to refuel the reactor without having to shut it down. A 10 MW unit is expected to be online by 2030.

Submission + - How Meta monetises the migrant crisis (openrightsgroup.org)

Submitted by Shakes Fist
Shakes Fist writes: Research by ORG found that fraudulent adverts offering fake identity documents are still being run on Facebook. This is despite Meta claiming it had stamped out the problem after previous media coverage exposed the issue months ago.

Now ORG has discovered that these scams have not gone away.

Submission + - ICE Is Paying Palantir $30 Million to Build 'ImmigrationOS' Surveillance System (wired.com)

Submitted by ArchieBunker
ArchieBunker writes: Immigration and Customs Enforcement is paying software company Palantir $30 million to provide the agency with “near real-time visibility” on people self-deporting from the United States, according to a contract justification published in a federal register on Thursday. The tool would also help ICE choose who to deport, giving special priority to “visa overstays,” the document shows.

Palantir has been an ICE contractor since 2011, but the document published Thursday indicates that Palantir wants to provide brand-new capabilities to ICE. The agency currently does not have any publicly known tools for tracking self-deportation in near real-time. The agency does have a tool for tracking self-reported deportations, but Thursday’s document, which was first reported by Business Insider, does not say to what degree this new tool may rely on self-reported data. ICE also has “insufficient technology” to detect people overstaying their visas, according to the Department of Homeland Security. This is particularly due to challenges in collecting "biographic and biometric" data from departing travelers, especially if they leave over land, according to Customs and Border Protection.

The agency says in the document that these new capabilities will be under a wholly new platform called the Immigration Lifecycle Operating System, or ImmigrationOS. Palantir is expected to provide a prototype of ImmigrationOS by September 25, 2025, and the contract is scheduled to last at least through September 2027. ICE’s update to the contract comes as the Trump administration is demanding that thousands of immigrants “self-deport,” or leave the US voluntarily.

ICE and Palantir did not respond for comment.

According to the document, ImmigrationOS is intended to have three core functions. Its “Targeting and Enforcement Prioritization” capability would streamline the “selection and apprehension operations of illegal aliens.” People prioritized for removal, ICE says, should be “violent criminals,” gang members, and “visa overstays.”

Its “Self-Deportation Tracking” function would have “near real-time visibility into instances of self-deporation,” the document says. The document does not say what data Palantir would use for such a system, but ICE says it aims to “accurately report metrics of alien departures from the United States.” The agency stipulates that this tool should also integrate with “enforcement prioritization systems to inform policy” but does not elaborate on these systems or policies.

Meanwhile, the “Immigration Lifecycle Process” function would streamline the “identification” of aliens and their “removal” from the United States, with the goal of making "deportation logistics” more efficient.

In a “rationale” section, ICE claims that it has an “urgent and compelling” need for ImmigrationOS’s capabilities. Without them, ICE claims, it would be “severely” limited in its ability to target the gangs MS-13 and Tren de Aragua, and abide by President Donald Trump’s executive order to expedite deportations.

Palantir, ICE claims, is “the only source that can provide the required capabilities and prototype of ImmogrationOS [sic] without causing unacceptable delays.” ICE says the company has developed “deep institutional knowledge of the agency’s operations over more than a decade of support.”

“No other vendor could meet these timeframes of having the infrastructure in place to meet this urgent requirement and deliver a prototype in less than six months,” ICE says in the document.

ICE’s document does not specify the data sources Palantir would pull from to power ImmigrationOS. However, it says that Palantir could “configure” the case management system that it has provided to ICE since 2014.

Palantir has done work at various other government agencies as early as 2007. Aside from ICE, it has worked with the US Army, Air Force, Navy, Internal Revenue Service, and Federal Bureau of Investigation. As reported by WIRED, Palantir is currently helping Elon Musk’s so-called Department of Government Efficiency (DOGE) build a brand-new “mega API” at the IRS that could search for records across all the different databases that the agency maintains.

Last week, 404 Media reported that a recent version of Palantir’s case-management system for ICE allows agents to search for people based on “hundreds of different, highly specific categories,” including how a person entered the country, their current legal status, and their country of origin. It also includes a person’s hair and eye color, whether they have scars or tattoos, and their license-plate reader data, which would provide detailed location data about where that person travels by car.

These functionalities have been mentioned in a government privacy assessment published in 2016, and it’s not clear what new information may have been integrated into the case management system over the past four years.

This week’s $30 million award is an addition to an existing Palantir contract penned in 2022, originally worth about $17 million, for work on ICE’s case management system. The agency has increased the value of the contract five times prior to this month; the largest was a $19 million increase in September 2023.

The contract’s ImmigrationOS update was first documented on April 11 in a government-run database tracking federal spending. The entry had a 248-character description of the change. The five-page document ICE published Thursday, meanwhile, has a more detailed description of Palantir’s expected services for the agency.

The contract update comes as the Trump administration deputizes ICE and other government agencies to drastically escalate the tactics and scale of deportations from the US. In recent weeks, immigration authorities have arrested and detained people with student visas and green cards, and deported at least 238 people to a brutal megaprison in El Salvador, some of whom have not been able to speak with a lawyer or have due process.

As part of its efforts to push people to self-deport, DHS in late March revoked the temporary parole of more than half a million people and demanded that they self-deport in about a month, despite having been granted authorization to live in the US after fleeing dangerous or unstable situations in Cuba, Haiti, Nicaragua, and Venezuela under the so-called “CHNV parole programs.”

Last week, the Social Security Administration listed more than 6,000 of these people as dead, a tactic meant to end their financial lives. DHS, meanwhile, sent emails to an unknown number of people declaring that their parole had been revoked and demanding that they self-deport. Several US citizens, including immigration attorneys, received the email.

On Monday, a federal judge temporarily blocked the Trump administration’s move to revoke people’s authorization to live in the US under the CHNV programs. White House spokesperson Karoline Leavitt called the judge’s ruling “rogue.”

Submission + - FDA did not notify the public of deadly E. coli outbreak across 15 states (nbcnews.com)

Submitted by joshuark
joshuark writes: The outbreak is linked to romaine lettuce killed one person and sickened at least 88 more, including a 9-year-old boy who nearly died of kidney failure.

“There were no public communications related to this outbreak,” the FDA said in its report, which noted that there had been a death but provided no details about it.

The Food and Drug Administration (FDA) reported in February that it had closed the investigation without publicly detailing what had happened, or which companies were responsible for growing and processing the contaminated lettuce.

The FDA said its staff members “continue to provide critical communications to consumers associated with foodborne outbreaks,” including information about recalls and investigations.

Submission + - Digital Activists Code Tarpits to Trap and Poison AI (arstechnica.com)

Submitted by IonOtter
IonOtter writes: Digital activists, skirting the edge of the law, are coding web-based "tarpits" that not only trap unscrupulous AI in an endless loop, the malicious code causes the AI to become hopelessly contaminated with useless gibberish.

Aaron clearly warns users that Nepenthes is aggressive malware. It's not to be deployed by site owners uncomfortable with trapping AI crawlers and sending them down an "infinite maze" of static files with no exit links, where they "get stuck" and "thrash around" for months, he tells users. Once trapped, the crawlers can be fed gibberish data, aka Markov babble, which is designed to poison AI models.

Slashdot Top Deals