The term "auth" is ambiguous, often meaning either authentication (authn) or authorization (authz), which leads to confusion and poor system design. Instead, Nicole Tietz-Sokolskaya, a software engineer at AI market research platform Remesh, argues that the industry adopt the terms "login" for authentication and "permissions" for authorization, as these are clearer and help maintain distinct, appropriate abstractions for each concept. From their blog post: We should always use the most clear terms we have. Sometimes there's not a great option, but here, we have wonderfully clear terms. Those are "login" for authentication and "permissions" for authorization. Both are terms that will make sense with little explanation (in contrast to "authn" and "authz", which are confusing on first encounter) since almost everyone has logged into a system and has run into permissions issues. There are two ways to use "login" here: the noun and the verb form. The noun form is "login", which refers to the information you enter to gain access to the system. And the verb form is "log in", which refers to the action of entering your login to use the system. "Permissions" is just the noun form. To use a verb, you would use "check permissions." While this is long, it's also just... fine? It hasn't been an issue in my experience.

Both of these are abundantly clear even to our peers in disciplines outside software engineering. This to me makes it worth using them from a clarity perspective alone. But then we have the big benefit to abstractions, as well. When we call both by the same word, there's often an urge to combine them into a single module just by dint of the terminology. This isn't necessarily wrong -- there is certainly some merit to put them together, since permissions typically require a login. But it's not necessary, either, and our designs will be stronger if we don't make that assumption and instead make a reasoned choice.

The Internet Archive is "currently in its third day of warding off an intermittent DDoS cyber-attack," writes Chris Freeland, Director of Library Services at Internet Archive, in a blog post. While library staff stress that the archives are safe, access to its services are affected, including the Wayback Machine. From the post: Since the attacks began on Sunday, the DDoS intrusion has been launching tens of thousands of fake information requests per second. The source of the attack is unknown. "Thankfully the collections are safe, but we are sorry that the denial-of-service attack has knocked us offline intermittently during these last three days," explained Brewster Kahle, founder and digital librarian of the Internet Archive. "With the support from others and the hard work of staff we are hardening our defenses to provide more reliable access to our library. What is new is this attack has been sustained, impactful, targeted, adaptive, and importantly, mean." Cyber-attacks are increasingly frequent against libraries and other knowledge institutions, with the British Library, the Solano County Public Library (California), the Berlin Natural History Museum, and Ontario's London Public Library all being recent victims.

In addition to a wave of recent cyber-attacks, the Internet Archive is also being sued by the US book publishing and US recording industries associations, which are claiming copyright infringement and demanding combined damages of hundreds of millions of dollars and diminished services from all libraries. "If our patrons around the globe think this latest situation is upsetting, then they should be very worried about what the publishing and recording industries have in mind," added Kahle. "I think they are trying to destroy this library entirely and hobble all libraries everywhere. But just as we're resisting the DDoS attack, we appreciate all the support in pushing back on this unjust litigation against our library and others."

An anonymous reader quotes a report from Wired: Two years ago when "Michael," an owner of cryptocurrency, contacted Joe Grand to help recover access to about $2 million worth of bitcoin he stored in encrypted format on his computer, Grand turned him down. Michael, who is based in Europe and asked to remain anonymous, stored the cryptocurrency in a password-protected digital wallet. He generated a password using the RoboForm password manager and stored that password in a file encrypted with a tool called TrueCrypt. At some point, that file got corrupted and Michael lost access to the 20-character password he had generated to secure his 43.6 BTC (worth a total of about [...] $5,300, in 2013). Michael used the RoboForm password manager to generate the password but did not store it in his manager. He worried that someone would hack his computer and obtain the password. "At [that] time, I was really paranoid with my security," he laughs.

Grand is a famed hardware hacker who in 2022 helped another crypto wallet owner recover access to $2 million in cryptocurrencyhe thought he'd lost forever after forgetting the PIN to his Trezor wallet. Since then, dozens of people have contacted Grand to help them recover their treasure. But Grand, known by the hacker handle "Kingpin," turns down most of them, for various reasons. Grand is an electrical engineer who began hacking computing hardware at age 10 and in 2008 cohosted the Discovery Channel's Prototype This show. He now consults with companies that build complex digital systems to help them understand how hardware hackers like him might subvert their systems. He cracked the Trezor wallet in 2022 using complex hardware techniques that forced the USB-style wallet to reveal its password. But Michael stored his cryptocurrency in a software-based wallet, which meant none of Grand's hardware skills were relevant this time. [...] Michael contacted multiple people who specialize in cracking cryptography; they all told him "there's no chance" of retrieving his money. But last June he approached Grand again, hoping to convince him to help, and this time Grand agreed to give it a try, working with a friend named Bruno in Germany who also hacks digital wallets.

Grand and Bruno spent months reverse engineering the version of the RoboForm program that they thought Michael had used in 2013 and found that the pseudo-random number generator used to generate passwords in that version -- and subsequent versions until 2015 -- did indeed have a significant flaw that made the random number generator not so random. The RoboForm program unwisely tied the random passwords it generated to the date and time on the user's computer -- it determined the computer's date and time, and then generated passwords that were predictable. If you knew the date and time and other parameters, you could compute any password that would have been generated on a certain date and time in the past. [...] There was one problem: Michael couldn't remember when he created the password. According to the log on his software wallet, Michael moved bitcoin into his wallet for the first time on April 14, 2013. But he couldn't remember if he generated the password the same day or some time before or after this. So, looking at the parameters of other passwords he generated using RoboForm, Grand and Bruno configured RoboForm to generate 20-character passwords with upper- and lower-case letters, numbers, and eight special characters from March 1 to April 20, 2013. It failed to generate the right password. [...] Instead, they revealed that they had finally found the correct password -- no special characters. It was generated on May 15, 2013, at 4:10:40 pm GMT.

BrianFagioli writes: Canonical has officially released the optimized Ubuntu 24.04 image for the Milk-V Mars, a credit-card-sized RISC-V single board computer (SBC) developed by Shenzhen MilkV Technology Co., Ltd.

The Milk-V Mars is the world's first high-performance RISC-V SBC of its size. Powered by the StarFive JH7110 quad-core processor, the board is equipped with up to 8GB of LPDDR4 memory and supports various modern interfaces, including USB 3.0, HDMI 2.0 for 4K output, and Ethernet with PoE capabilities. It also offers comprehensive expansion options with M.2 E-Key and extensive MIPI CSI channels, making it an ideal choice for developers and tech enthusiasts.

An anonymous reader shares a report: Commercial dot-matrix printing was yet another arena in which the needs of Chinese character I/O were not accounted for. This is witnessed most clearly in the then-dominant configuration of printer heads -- specifically the 9-pin printer heads found in mass-manufactured dot-matrix printers during the 1970s. Using nine pins, these early dot-matrix printers were able to produce low-resolution Latin alphabet bitmaps with just one pass of the printer head. The choice of nine pins, in other words, was "tuned" to the needs of Latin alphabetic script.

These same printer heads were incapable of printing low-resolution Chinese character bitmaps using anything less than two full passes of the printer head, one below the other. Two-pass printing dramatically increased the time needed to print Chinese as compared to English, however, and introduced graphical inaccuracies, whether due to inconsistencies in the advancement of the platen or uneven ink registration (that is, characters with differing ink densities on their upper and lower halves).

Compounding these problems, Chinese characters printed in this way were twice the height of English words. This created comically distorted printouts in which English words appeared austere and economical, while Chinese characters appeared grotesquely oversized. Not only did this waste paper, but it left Chinese-language documents looking something like large-print children's books. When consumers in the Chinese-Japanese-Korean (CJK) world began to import Western-manufactured dot-matrix printers, then, they faced yet another facet of Latin alphabetic bias.

A hacker group called RansomHub said it was behind the cyberattack that hit the Christie's website just days before its marquee spring sales began, forcing the auction house to resort to alternatives to online bidding. From a report: In a post on the dark web on Monday, the group claimed that it had gained access to sensitive information about the world's wealthiest art collectors, posting only a few examples of names and birthdays. It was not immediately possible to verify RansomHub's claims, but several cybersecurity experts said they were a known ransomware operation and that the claim was plausible. Nor was it clear if the hackers had gained access to more sensitive information, including financial data and client addresses. The group said it would release the data, posting a countdown timer that would reach zero by the end of May.

At Christie's, a spokesman said in a statement, "Our investigations determined there was unauthorized access by a third party to parts of Christie's network." The spokesman, Edward Lewine, said that the investigations "also determined that the group behind the incident took some limited amount of personal data relating to some of our clients." He added, "There is no evidence that any financial or transactional records were compromised." Hackers said that Christie's failed to pay a ransom when one was demanded.

An anonymous reader shares a report: Similar to the GCC compiler dropping support for the Xeon Phi Knights Mill and Knights Landing accelerators a few days ago, Intel has also gone ahead and seen to the removal of Xeon Phi support for the LLVM/Clang 19 compiler. Since earlier this year in LLVM/Clang 18 the Xeon Phi Knights Mill and Knights Landing support was treated as deprecated. Now for the LLVM 19 release due out around September, the support is removed entirely. This aligns with GCC 14 having deprecated Xeon Phi support too and now in GCC 15 Git having the code removed.

Microsoft has announced Auto SR, an AI-powered image upscaling solution for Windows 11 on Arm devices. The feature, exclusive to Qualcomm's Snapdragon X CPUs, aims to enhance gaming performance on ARM-based systems. Auto SR, however, comes with notable restrictions, including compatibility limitations with certain DirectX versions and the inability to work simultaneously with HDR.

Microsoft says the Cortana, Tips, and WordPad applications will be automatically removed on systems upgraded to the upcoming Windows 11 24H2 release. From a report: This was shared in a Thursday blog announcing that Windows 11, version 24H2 (Build 26100.712) is now available for Insiders in the Release Preview Channel. The company removed the Cortana standalone app from Windows 11 in preview build 25967 for Insiders, released in the Canary Channel in early October. It first announced that it would end support for Cortana in a support document published in June and deprecated it in another Canary build in August.

In September, Microsoft announced that it would deprecate WordPad -- automatically installed on Windows systems for 28 years, since 1995, and an optional Windows feature since the Windows 10 Insider Build 19551 release in February 2020 -- with a future Windows update. In November, the company also informed users that the Tips app was deprecated and would be removed in a future Windows release.

"Merged this Friday evening into the Linux 6.10 kernel is the new mseal() system call for memory sealing," reports Phoronix: The mseal system call was led by Jeff Xu of Google's Chrome team. The goal with memory sealing is to also protect the memory mapping itself against modification. The new mseal Linux documentation explains:

"Modern CPUs support memory permissions such as RW and NX bits. The memory permission feature improves security stance on memory corruption bugs, i.e. the attacker can't just write to arbitrary memory and point the code to it, the memory has to be marked with X bit, or else an exception will happen. Memory sealing additionally protects the mapping itself against modifications. This is useful to mitigate memory corruption issues where a corrupted pointer is passed to a memory management system... Memory sealing can automatically be applied by the runtime loader to seal .text and .rodata pages and applications can additionally seal security-critical data at runtime. A similar feature already exists in the XNU kernel with the VM_FLAGS_PERMANENT flag and on OpenBSD with the mimmutable syscall."

The mseal system call is designed to be used by the likes of the GNU C Library "glibc" while loading ELF executables to seal non-writable memory segments or by the Google Chrome web browser and other browsers for protecting security sensitive data structures.

A Rust Foundation blog post begins by reminding readers that Rust programs "are unable to compile if memory management rules are violated, essentially eliminating the possibility of a memory issue at runtime."

But then it goes on to explore "Unsafe Rust in the wild" (used for a small set of actions like dereferencing a raw pointer, modifying a mutable static variable, or calling unsafe functions). "At a superficial glance, it might appear that Unsafe Rust undercuts the memory-safety benefits Rust is becoming increasingly celebrated for. In reality, the unsafe keyword comes with special safeguards and can be a powerful way to work with fewer restrictions when a function requires flexibility, so long as standard precautions are used."

The Foundation lists those available safeguards — which "make exploits rare — but not impossible." But then they go on to analyze just how much Rust code actually uses the unsafe keyword: The canonical way to distribute Rust code is through a package called a crate. As of May 2024, there are about 145,000 crates; of which, approximately 127,000 contain significant code. Of those 127,000 crates, 24,362 make use of the unsafe keyword, which is 19.11% of all crates. And 34.35% make a direct function call into another crate that uses the unsafe keyword [according to numbers derived from the Rust Foundation project Painter]. Nearly 20% of all crates have at least one instance of the unsafe keyword, a non-trivial number.

Most of these Unsafe Rust uses are calls into existing third-party non-Rust language code or libraries, such as C or C++. In fact, the crate with the most uses of the unsafe keyword is the Windows crate, which allows Rust developers to call into various Windows APIs. This does not mean that the code in these Unsafe Rust blocks are inherently exploitable (a majority or all of that code is most likely not), but that special care must be taken while using Unsafe Rust in order to avoid potential vulnerabilities...

Rust lives up to its reputation as an excellent and transformative tool for safe and secure programming, even in an Unsafe context. But this reputation requires resources, collaboration, and constant examination to uphold properly. For example, the Rust Project is continuing to develop tools like Miri to allow the checking of unsafe Rust code. The Rust Foundation is committed to this work through its Security Initiative: a program to support and advance the state of security within the Rust Programming language ecosystem and community. Under the Security Initiative, the Rust Foundation's Technology team has developed new tools like [dependency-graphing] Painter, TypoMania [which checks package registries for typo-squatting] and Sandpit [an internal tool watching for malicious crates]... giving users insight into vulnerabilities before they can happen and allowing for a quick response if an exploitation occurs.

An anonymous reader quotes a report from The Register: The Federal Trade Commission (FTC) has shared data on the most impersonated companies in 2023, which include Best Buy, Amazon, and PayPal in the top three. The federal agency detailed the top ten companies scammers impersonate and how much they make depending on the impersonation. By far the most impersonated corp was Best Buy and its repair business Geek Squad, with a total of 52k reports. Amazon impersonators came in second place with 34k reports, and PayPal a distant third with 10,000. Proportionally, the top three made up roughly 72 percent of the reports among the top ten, and Best Buy and Geek Squad scam reports were about 39 percent on their own. Though, high quantity doesn't necessarily translate to greater success for scammers, as the FTC also showed how much scammers made depending on what companies they impersonated. Best Buy and Geek Squad, Amazon, and PayPal scams made about $15 million, $19 million, and $16 million respectively, but that's nothing compared to the $60 million that Microsoft impersonators were able to fleece. [...]

The FTC also reported the vectors scammers use to contact their victims. Phone and email are still the most common means, but social media is becoming increasingly important for scamming and features the most costly scams. The feds additionally disclosed the kinds of payment methods scammers use for all sorts of frauds, including company and individual impersonation scams, investment scams, and romance scams. Cryptocurrency and bank transfers were popular for investment scammers, who are the most prolific on social media, while gift cards were most common for pretty much every other type of scam. However, not all scammers ask for digital payment, as the Federal Bureau of Investigation says that even regular old mail is something scammers are relying on to get their ill-gotten gains.

Apple has shed more light on the bizarre iOS 17.5 bug that caused long-deleted photos to mysteriously reappear on users' devices. In a statement to 9to5Mac, the iPhone maker clarified that the issue stemmed from a corrupted database on the device itself, not iCloud Photos. This means the photos were never fully erased from the device, but they also weren't synced to iCloud. Interestingly, these files could have hitched a ride to new devices through backups or direct transfers.

Messaging app Signal's president Meredith Whittaker criticized rival Telegram's security on Friday, saying Telegram founder Pavel Durov is "full of s---" in his claims about Signal. "Telegram is a social media platform, it's not encrypted, it's the least secure of messaging and social media services out there," Whittaker told TechCrunch in an interview. The comments come amid a war of words between Whittaker, Durov and Twitter owner Elon Musk over the security of their respective platforms. Whittaker said Durov's amplification of claims questioning Signal's security was "incredibly reckless" and "actually harms real people."

"Play your games, but don't take them into my court," Whittaker said, accusing Durov of prioritizing being "followed by a professional photographer" over getting facts right about Signal's encryption. Signal uses end-to-end encryption by default, while Telegram only offers it for "secret chats." Whittaker said many in Ukraine and Russia use Signal for "actual serious communications" while relying on Telegram's less-secure social media features. She said the "jury is in" on the platforms' comparative security and that Signal's open source code allows experts to validate its privacy claims, which have the trust of the security community.

Hackers have compromised a popular courtroom recording software, JAVS, gaining full control through a backdoored update. Louisville, Kentucky-based Justice AV Solutions, its maker, pulled the compromised software, reset passwords, and audited its systems. Cybersecurity firm Rapid7 found that the corrupted installer grants attackers full access and transmits host system data to a command-and-control server. The Record adds: In its advisory, Rapid7 stressed the need to reimage all endpoints where the software was installed, and to reset credentials on web browsers and for any accounts logged into affected endpoints, both local and remote. "Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate," they wrote. "Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials."

Speaking of Samsung, samleecole shares a report about the contract the South Korean firm requires repair shops to sign: In exchange for selling them repair parts, Samsung requires independent repair shops to give Samsung the name, contact information, phone identifier, and customer complaint details of everyone who gets their phone repaired at these shops, according to a contract obtained by 404 Media. Stunningly, it also requires these nominally independent shops to "immediately disassemble" any phones that customers have brought them that have been previously repaired with aftermarket or third-party parts and to "immediately notify" Samsung that the customer has used third-party parts.

"Company shall immediately disassemble all products that are created or assembled out of, comprised of, or that contain any Service Parts not purchased from Samsung," a section of the agreement reads. "And shall immediately notify Samsung in writing of the details and circumstances of any unauthorized use or misappropriation of any Service Part for any purpose other than pursuant to this Agreement. Samsung may terminate this Agreement if these terms are violated."

An anonymous reader shares a report: Did your company recently send you a phishing email? Employers will sometimes simulate phishing messages to train workers on how to spot the hacking threat. But one Google security manager argues the IT industry needs to drop the practice, calling it counterproductive. "PSA for Cybersecurity folk: Our co-workers are tired of being 'tricked' by phishing exercises y'all, and it is making them hate us for no benefit," tweeted Matt Linton, a security incident manager at Google.

Linton also published a post on the Google Security blog about the pitfalls of today's simulated phishing tests. The company is required to send fake phishing emails to its employees to meet the US government's security compliance requirements. In these tests, Google sends an employee a phishing email. If the worker clicks a link in the email, they'll be told they failed the test and will usually be required to take some sort of training course. However, Linton argues that simulated phishing tests can lead to harmful side effects, which can undermine a company's security. "There is no evidence that the tests result in fewer incidences of successful phishing campaigns," Linton said, noting that phishing attacks continue to help hackers gain a foothold inside networks, despite such training. He also pointed to a 2021 study that ran for 15 months and concluded that these phishing tests don't "make employees more resilient to phishing."

A server maintained by Cogent Communications, one of the 13 root servers crucial to the Internet's domain name system, fell out of sync with its peers for over four days due to an unexplained glitch. This issue, which could have caused worldwide stability and security problems, was resolved on Wednesday.

The root servers store cryptographic keys necessary for authenticating intermediate servers under the DNSSEC mechanism. Inconsistencies in these keys across the 13 servers could lead to an increased risk of attacks such as DNS cache poisoning. Engineers postponed planned updates to the .gov and .int domain name servers' DNSSEC to use ECDSA cryptographic keys until the situation stabilized. Cogent stated that it became aware of the issue on Tuesday and resolved it within 25 hours. ArsTechnica, which has a great writeup about the incident, adds: Initially, some people speculated that the depeering of Tata Communications, the c-root site outage, and the update errors to the c-root itself were all connected somehow. Given the vagueness of the statement, the relation of those events still isn't entirely clear.

A hacker claims to have breached a scam call center, stolen the source code for the company's tools, and emailed the company's scam victims, according to multiple screenshots and files provided by the hacker to 404 Media. From the report: The hack is the latest in a long series of vigilante actions in which hackers take matters into their own hands and breach or otherwise disrupt scam centers. A massively popular YouTube community, with creators mocking their targets, also exists around the practice.

"Hello, everyone! If you are seeing this email then you have been targeted by a fake antivirus company known as 'Waredot,'" the hacker wrote in their alleged email to customers, referring to the scam call center. The email goes on to suggest that customers issue a chargeback "as this trash software isn't worth anywhere NEAR $300-$400 per month, and these trash idiots don't deserve your money!"

Michael Larabel reports via Phoronix: The latest RISC-V port updates have been merged for the in-development Linux 6.10 kernel. Most notable with today's RISC-V merge to Linux 6.10 is now supporting the Rust programming language within the Linux kernel. RISC-V joins the likes of x86_64, LoongArch, and ARM64 already supporting the use of the in-kernel Rust language support. The use of Rust within the mainline Linux kernel is still rather limited with just a few basic drivers so far and a lot of infrastructure work taking place, but there are a number of new drivers and other subsystem support on the horizon. RISC-V now supporting Rust within the Linux kernel will become more important moving forward.

The RISC-V updates for Linux 6.10 also add byte/half-word compare-and-exchange, support for Zihintpause within hwprobe, a PR_RISCV_SET_ICACHE_FLUSH_CTX prctl(), and support for lockless lockrefs. More details on these RISC-V updates for Linux 6.10 via this Git merge.