An anonymous reader quotes a report from Ars Technica: On Monday, Florida became the first state to ban kids under 14 from social media without parental permission. It appears likely that the law -- considered one of the most restrictive in the US -- will face significant legal challenges, however, before taking effect on January 1. Under HB 3, apps like Instagram, Snapchat, or TikTok would need to verify the ages of users, then delete any accounts for users under 14 when parental consent is not granted. Companies that "knowingly or recklessly" fail to block underage users risk fines of up to $10,000 in damages to anyone suing on behalf of child users. They could also be liable for up to $50,000 per violation in civil penalties. [...]

DeSantis' statement noted that "in addition to protecting children from the dangers of social media, HB 3 requires pornographic or sexually explicit websites to use age verification to prevent minors from accessing sites that are inappropriate for children." This suggests that Florida could face a legal challenge from adult sites like Pornhub, which have been suing to block states from requiring an ID to access adult content. Most recently, Pornhub blocked access to its platform in Texas, arguing that such laws "impinge on the rights of adults to access protected speech" and fail "strict scrutiny by employing the least effective and yet also most restrictive means of accomplishing Texas's stated purpose of allegedly protecting minors."

According to the Guardian, [Florida House Speaker Paul Renner, who spearheaded the law] expected that social media companies would "sue the second after" HB 3 was signed. So far, no legal challenges have been raised, but Renner seemingly expects that the law's focus on "addictive features such as notification alerts and autoplay videos, rather than on their content" would ensure that the law defeats any constitutional concerns potentially raised by social media companies. "We're going to beat them, and we're never, ever going to stop," Renner vowed.

An anonymous reader quotes a report from Reuters: Reddit will need to spend heavily on content moderation as it may face greater scrutiny as a public company, analysts said, threatening its longstanding policy of relying on an army of volunteers to maintain order on its platform. The newly listed company warned in its initial public offering (IPO) paperwork that its unique approach to content moderation can sometimes subject it to disruptions like in 2023, when several moderators protested against its decision to charge third-party app developers for access to its data.

Depending on volunteers is not sustainable, given the regulatory scrutiny that the company will now face, said Julian Klymochko, CEO of alternative investment solutions firm Accelerate Financial Technologies. "It's like relying on unpaid labor when the company has nearly a billion dollars in revenue," he added. Reddit reported revenue of $804 million in 2023, according to an earlier filing. Reddit will need to make substantial investments in trust and safety, which could lead to a "dramatic" rise in expenses, Klymochko said. Josh White, former economist at the Securities and Exchange Commission and assistant professor of finance at Vanderbilt University, also said that banking on free volunteers is Reddit's biggest risk. The company would need to ramp up spending on anti-misinformation efforts especially as the U.S. prepares for the presidential election later this year, White said. "We believe our approach is the most sustainable and scalable moderation model that exists online today. We are continually investing in and iterating on new tools and policies to improve our internal capabilities," the Reddit spokesperson said.

Tom Warren reports via The Verge: Microsoft is naming Pavan Davuluri as its new Windows and Surface chief today. After Panos Panay's surprise departure to Amazon last year, Microsoft split up the Windows and Surface groups under two different leaders. Davuluri took over the Surface silicon and devices work, with Mikhail Parakhin leading a new team focused on Windows and web experiences. Now both Windows and Surface will be Davuluri's responsibility, as Parakhin has "decided to explore new roles."

The Verge has obtained an internal memo from Rajesh Jha, Microsoft's head of experiences and devices, outlining the new Windows organization. Microsoft is now bringing together its Windows and devices teams once more. "This will enable us to take a holistic approach to building silicon, systems, experiences, and devices that span Windows client and cloud for this AI era," explains Jha. Pavan Davuluri is now the leader of Microsoft's Windows and Surface team, reporting directly to Rajesh Jha. Davuluri has worked at Microsoft for more than 23 years and was deeply involved in the company's work with Qualcomm and AMD to create custom Surface processors.

Mikhail Parakhin will now report to Kevin Scott during a transition phase, but his future at Microsoft looks uncertain, and it's likely those "new roles" will be outside the company. Parakhin had been working closely on Bing Chat before taking on the broader Windows engineering responsibilities and changes to Microsoft Edge. The Windows shake-up comes just days after Google DeepMind co-founder and former Inflection AI CEO Mustafa Suleyman joined Microsoft as the CEO of a new AI team. Microsoft also hired a bunch of Inflection AI employees, including co-founder Karen Simonyan who is now the chief scientist of Microsoft AI.

An anonymous reader quotes a report from The Verge, written by Nilay Patel: Today, I'm talking to Jay Graber, the CEO of Bluesky Social, which is a decentralized competitor to Twitter, er, X. Bluesky actually started inside of what was then known as Twitter — it was a project from then-CEO Jack Dorsey, who spent his days wandering the earth and saying things like Twitter should be a protocol and not a company. Bluesky was supposed to be that protocol, but Jack spun it out of Twitter in 2021, just before Elon Musk bought the company and renamed it X. Bluesky is now an independent company with a few dozen employees, and it finds itself in the middle of one of the most chaotic moments in the history of social media. There are a lot of companies and ideas competing for space on the post-Twitter internet, and Jay makes a convincing argument that decentralization -- the idea that you should be able to take your username and following to different servers as you wish -- is the future. It's a powerful concept that's been kicking around for a long time, but now it feels closer to reality than ever before. You've heard us talk about it a lot on Decoder: the core idea is that no single company -- or individual billionaire -- can amass too much power and control over our social networks and the conversations that happen on them.

Bluesky's approach to this is something called the AT Protocol, which powers Bluesky's own platform but which is also a technology that anyone can use right now to host their own servers and, eventually, interoperate with a bunch of other networks. You'll hear Jay explain how building Bluesky the product alongside AT Protocol the protocol has created a cooperate-compete dynamic that runs throughout the entire company and that also informs how it's building products and features -- not only for its own service but also for developers to build on top of. Jay and I also talked about the growth of the Bluesky app, which now has more than 5 million users, and how so many of the company's early decisions around product design and moderation have shaped the type of organic culture that's taken hold there. Content moderation is, of course, one of the biggest challenges any platform faces, and Bluesky, in particular, has had its fair share of controversies. But the idea behind AT Protocol and Bluesky is devolving control, so Bluesky users can pick their own moderation systems and recommendation algorithms -- a grand experiment that I wanted to know much more about.

Finally, Jay and I had the opportunity to get technical and go deeper on standards and protocols, which are the beating heart of the decentralization movement. Bluesky's AT Protocol is far from the only protocol in the mix -- there's also ActivityPub, which is what powers Mastodon and, soon, Meta's Threads. There's been some real animosity between these camps, and I asked Jay about the differences between the two, the benefits of Bluesky's approach, and how she sees the two coexisting in the future.

Stability AI founder and chief executive Emad Mostaque has stepped down from the top role and the unicorn startup's board, the buzzy firm said. From a report: Stability AI, which has been backed by investors including Lightspeed Venture Partners and Coatue Management, doesn't have an immediate permanent replacement for the CEO role but has appointed its COO Shan Shan Wong and CTO Christian Laforte as interim co-CEOs, it said in a blog post. Stability AI, which has lost more than half a dozen key talent in recent quarters, said Mostaque is stepping down to pursue decentralized AI. In a series of posts on X, Mostaque opined that one can't beat "centralized AI" with more "centralized AI," referring to the ownership structure of top AI startups such as OpenAI and Anthropic.

Florida Governor Ron DeSantis just signed into law HB 3 [PDF], a bill that will give parents of teens under 16 more control over their kids' access to social media and require age verification for many websites. From a report: The bill requires social media platforms to prevent kids under 14 from creating accounts, and delete existing ones. It also requires parent or guardian consent for 14- and 15-year-olds to create or maintain social media accounts and mandates that platforms delete social media accounts and personal information for this age group at the teen's or parent's request.

Companies that fail to promptly delete accounts belonging to 14- and 15-year-olds can be sued on behalf of those kids and may owe them up to $10,000 in damages each. A "knowing or reckless" violation could also be considered an unfair or deceptive trade practice, subject to up to $50,000 in civil penalties per violation. The bill also requires many commercial apps and websites to verify their users' ages -- something that introduces a host of privacy concerns. But it does require websites to give users the option of "anonymous age verification," which is defined as verification by a third party that cannot retain identifying information after the task is complete.

An anonymous reader shares a report: The number of landline users has plummeted with the rise of cellphones, and the 19th-century technology's days appear to be numbered. Providers like AT&T are looking to exit the business by transitioning customers to cellphones or home telephone service over broadband connections. But for many of the millions of people still clinging to their copper-based landline telephones, newer alternatives are either unavailable, too expensive, or are unreliable when it matters most: in an emergency.

According to the National Center for Health Statistics, only a quarter of adults in the United States still have landlines and only around 5 percent say they mostly or only rely on them. The largest group of people holding onto their landlines are 65 and older. Meanwhile, more than 70 percent of adults are using wireless phones only. The copper lines used for traditional landlines carry electricity over the wires, so as long as a phone is corded or charged it will work during a power outage. Landlines are separate from cellular and broadband networks and are not affected by their outages, making them a necessary backstop in rural areas. Many of those same areas have inadequate cellular or internet coverage.

"In three, four, maybe five years a lot of states are going to say 'Okay, it's permissible to discontinue service if you, the phone company, can demonstrate there's functional alternative service,'" says Rob Frieden, an Academy and Emeritus Professor of Telecommunications and Law at Pennsylvania State University. AT&T recently asked the California Public Utilities Commission to end its obligation to provide landline service in parts of the state. The Federal Communications Commission, which has to approve a request to end service, said it hasn't received one from AT&T.

An anonymous reader shares a report: Nvidia earned its $2.2 trillion market cap by producing AI chips that have become the lifeblood powering the new era of generative AI developers from startups to Microsoft, OpenAI and Google parent Alphabet. Almost as important to its hardware is the company's nearly 20 years' worth of computer code, which helps make competition with the company nearly impossible. More than 4 million global developers rely on Nvidia's CUDA software platform to build AI and other apps. Now a coalition of tech companies that includes Qualcomm, Google and Intel, plans to loosen Nvidia's chokehold by going after the chip giant's secret weapon: the software that keeps developers tied to Nvidia chips.

They are part of an expanding group of financiers and companies hacking away at Nvidia's dominance in AI. "We're actually showing developers how you migrate out from an Nvidia platform," Vinesh Sukumar, Qualcomm's head of AI and machine learning, said in an interview with Reuters. Starting with a piece of technology developed by Intel called OneAPI, the UXL Foundation, a consortium of tech companies, plans to build a suite of software and tools that will be able to power multiple types of AI accelerator chips, executives involved with the group told Reuters. The open-source project aims to make computer code run on any machine, regardless of what chip and hardware powers it.

"It's about specifically - in the context of machine learning frameworks - how do we create an open ecosystem, and promote productivity and choice in hardware," Google's director and chief technologist of high-performance computing, Bill Hugo, told Reuters in an interview. Google is one of the founding members of UXL and helps determine the technical direction of the project, Hugo said. UXL's technical steering committee is preparing to nail down technical specifications in the first half of this year. Engineers plan to refine the technical details to a "mature" state by the end of the year, executives said. These executives stressed the need to build a solid foundation to include contributions from multiple companies that can also be deployed on any chip or hardware.

Atlas VPN informed customers on Monday that it will discontinue its services on April 24, citing technological demands, market competition, and escalating costs as key factors in the decision. The company said it will transfer its paid subscribers to its sister company, NordVPN, for the remainder of their subscription period to ensure uninterrupted VPN services.

Dave Plummer, a former Microsoft developer, has shared the story behind the Format drive dialog box in Windows, which has remained unchanged for nearly three decades. According to Plummer, the dialog box was created as a temporary solution during the porting of code from Windows 95 to Windows NT, due to differences between the two operating systems. Plummer jotted down all the formatting options on a piece of paper and created a basic UI, intending it to be a placeholder until a more refined version could be developed. However, the intended UI improvement never materialized, and Plummer's temporary solution has persisted through numerous Windows versions, including the latest Windows 11.

Plummer also admitted that the 32GB limit on FAT volume size in Windows was an arbitrary decision he made at the time, which has since become a permanent constraint.

The European Union has launched investigations into Apple, Meta and Google under its sweeping new digital-competition law, adding to the regulatory scrutiny large U.S. tech companies are facing worldwide. From a report: The suite of probes [Editor's note: the link may be paywalled; official press release here] announced Monday are the first under the EU's Digital Markets Act law, which took effect earlier this month. They come less than a week after the Justice Department sued Apple over allegations it makes it difficult for competitors to integrate with the iPhone, ultimately raising prices for customers. Apple and Google will now face EU scrutiny of how they are complying with rules that say they must allow app developers to inform customers about alternative offers outside those companies' main app stores. The European Commission, the EU's executive arm, said it is concerned about constraints the tech companies place on developers' ability to freely communicate with users and promote their offers.

The bloc will also examine changes that Google made to how its search results appear in Europe. The new digital competition law says companies cannot give their own services preference over similar services that are offered by rivals. Another probe will look at how Apple complies with rules that say users should be able to easily remove software applications and change default settings on their iPhones, as well as how the company shows choice screens that offer alternative search engine and browser options.

Long-time Slashdot reader theodp writes: Last month there was a special Google-funded edition of Highlights for Children, the 77-year-old magazine targetting children between the ages of 6 and 12. This edition was based on Google's "Be Internet Awesome" curriculum, and 1.25 million copies of the print magazine were distributed to children, schools, and other organizations. It's all part of a new partnership between Google and Highlights.

A Google.org blog post calls out the special issue's Goofus and Gallant cartoon, in which always-does-the-wrong-thing Goofus "promised Kayden he wouldn't share the silly photo, but he shares it anyway", while always-does-the-right-thing Gallant "asks others if it's OK to share their photos"...
theodp's orignal submission linked ironically to Slashdot's earlier story, "Google Hit With Lawsuit Alleging It Stole Data From Millions of Users To Train Its AI Tools."

But even beyond that, it's not always clear what the cartoon is teaching. (In one picture it looks like they're condemning Goofus for not intervening in a flame war between two other people — "Be Kind!")

Still, for me the biggest surprise is that Goofus and Gallant even have laptops. (How old are these kids, that they're already uploading photos of the other children onto the internet?!) Will 6- to 12-year-old children start demanding that their parents buy them their own laptop now — since even Goofus and Gallant already have them?

Gizmodo reports that increased activity on the Moon "may affect the unique radio silence on the lunar far side, an ideal location for radio telescopes to pick up faint signals from the cosmic past." This week, the International Academy of Astronautics (IAA) held the first Moon Farside Protection Symposium in Italy to advocate for preserving radio silence on the far side of the Moon. The symposium hopes to raise awareness about the threat facing the far side of the Moon and develop approaches to shielding it from artificial radio emissions....

NASA has shown interest in using the lunar radio silence, proposing an ultra-long-wavelength radio telescope inside a crater on the far side of the Moon. The Lunar Crater Radio Telescope is designed to observe the universe at frequencies below 30 megahertz, which are largely unexplored by humans since those signals are reflected by the Earth's ionosphere, according to NASA. At those low frequencies, radio telescopes on the Moon can detect near-Earth objects approaching our planet before other observatories, it can search for signals of alien civilizations, and study organic molecules in interstellar space...

As more missions head towards the Moon, however, that perfect silence is increasingly being compromised. Earlier this week, for example, China launched a satellite to relay communication between ground operations on Earth and an upcoming mission on the far side of the Moon. The satellite, Queqiao-2, is the first of a constellation of satellites that China hopes to deploy by 2040 to communicate with future crewed missions on the Moon and Mars. As part of its Artemis program, NASA is aiming to build the Lunar Gateway, a space station designed to orbit the Moon to support future missions to the lunar surface and Mars. In advance of this, a NASA-funded cubesat, called CAPSTONE, has entered into a unique halo orbit to demonstrate the stability and practicality of this trajectory for future lunar missions... CAPSTONE marks the beginning of something big — establishing a permanent communication link between Earth and lunar assets, and ensuring the steady, uninterrupted flow of data.

NASA and its Chinese counterparts have eerily similar plans for lunar exploration, and the Moon is currently a 'free-for-all' with no regulations set in place as to who can own our dusty orbital companion.
"In other words, things are about to get real loud out there as far as radio transmissions are concerned."

In an interview Saturday, CNN first asked Steve Wozniak about Apple's "walled garden" approach — and whether there's any disconnect between Apple's stated interest in user security and privacy, and its own self-interest?

Wozniak responded, "I think there are things you can say on all sides of it. "I'm kind of glad for the protection that I have for my privacy and for you know not getting hacked as much. Apple does a better job than the others.

And tracking you — tracking you is questionable, but my gosh, look at what we're accusing TikTok of, and then go look at Facebook and Google... That's how they make their business! I mean, Facebook was a great idea. But then they make all their money just by tracking you and advertising.

And Apple doesn't really do that as much. I consider Apple the good guy.
So then CNN directly asked Wozniak's opinion about the proposed ban on TikTok in the U.S. "Well, one, I don't understand it. I don't see why. I mean, I get a lot of entertainment out of TikTok — and I avoid the social web. But I love to watch TikTok, even if it's just for rescuing dog videos and stuff.

And so I'm thinking, well, what are we saying? We're saying 'Oh, you might be tracked by the Chinese'. Well, they learned it from us.

I mean, look, if you have a principle — a person should not be tracked without them knowing it? It's kind of a privacy principle — I was a founder of the EFF. And if you have that principle, you apply it the same to every company, or every country. You don't say, 'Here's one case where we're going to outlaw an app, but we're not going to do it in these other cases.'

So I don't like the hypocrisy. And that's always obviously common from a political realm.

CNN looks back to when "dial-up internet (and its iconic dial tone) was 'still a thing..." "File-sharing services like Napster and LimeWire were just beginning to take off... And in sweaty dorm rooms and sparse basements across the world, people brought their desktop monitors together to set up a local area network (LAN) and play multiplayer games — "Half-Life," "Counter-Strike," "Starsiege: Tribes," "StarCraft," "WarCraft" or "Unreal Tournament," to name just a few. These were informal but high-stakes gatherings, then known as LAN parties, whether winning a box of energy drinks or just the joy of emerging victorious. The parties could last several days and nights, with gamers crowded together among heavy computers and fast food boxes, crashing underneath their desks in sleeping bags and taking breaks to pull pranks on each other or watch movies...

It's this nostalgia that prompted writer and podcaster Merritt K to document the era's gaming culture in her new photobook "LAN Party: Inside the Multiplayer Revolution." After floating the idea on X, the social media platform formerly known as Twitter, she received an immediate — and visceral — response from old-school gamers all too keen to share memories and photos from LAN parties and gaming conventions across the world... It's strange to remember that the internet was once a place you went to spend time with other real people; a tethered space, not a cling-film-like reality enveloping the corporeal world from your own pocket....

Growing up as a teenager in this era, you could feel a sense of hope (that perhaps now feels like naivete) about the possibilities of technology, K explained. The book is full of photos featuring people smiling and posing with their desktop monitors, pride and fanfare apparent... "It felt like, 'Wow, the future is coming,'" K said. "It was this exciting time where you felt like you were just charting your own way. I don't want to romanticize it too much, because obviously it wasn't perfect, but it was a very, very different experience...."

"We've kind of lost a lot of control, I think over our relationship to technology," K said. "We have lost a lot of privacy as well. There's less of a sense of exploration because there just isn't as much out there."
One photo shows a stack of Mountain Dew cans (remembering that by 2007 the company had even released a line of soda called "Game Fuel"). "It was a little more communal," the book's author told CNN. "If you're playing games in the same room with someone, it's a different experience than doing it online. You can only be so much of a jackass to somebody who was sitting three feet away from you..."

They adds that that feeling of connecting to people in other places "was cool. It wasn't something that was taken for granted yet."

There's actually "a global trend toward increased air safety," notes a Wall Street Journal columnist.

And even in the case of the two fatal Boeing crashes five years ago, he stresses that they were "were two different crashes," with the second happening only "after Boeing and the FAA issued emergency directives instructing pilots how to compensate for Boeing's poorly designed flight control software.

"The story should have ended after the first crash except the second set of pilots behaved in unexpected, unpredictable ways, flying a flyable Ethiopian Airlines jet into the ground." Boeing is guilty of designing a fallible system and placing an undue burden on pilots. The evidence strongly suggests, however, that the Ethiopian crew was never required to master the simple remedy despite the global furor occasioned by the first crash. To boot, they committed an additional error by overspeeding the aircraft in defiance of aural, visual and stick-shaker warnings against doing so. It got almost no coverage, but on the same day the Ethiopian government issued its final findings on the accident in late 2022, the U.S. National Transportation Safety Board, in what it called an "unusual step," issued its own "comment" rebuking the Ethiopian report for "inaccurate" statements, for ignoring the crew's role, for ignoring how readily the accident should have been avoided.
So the Wall Street Journal columnist challenges whether profit incentives played any role in Boeing's troubles: In reality, the global industry was reorganized largely along competitive profit-and-loss lines after the 1970s, and yet this coincided with enormous increases in safety, notwithstanding the sausage factory elements occasionally on display (witness the little-reported parking of hundreds of Airbus planes over a faulty new engine).

The point here isn't blame but to note that 100,000 repetitions likely wouldn't reproduce the flukish second MAX crash and everything that followed from it. Rather than surfacing Boeing's deeply hidden problems, it seems the second crash gave birth to them. The subsequent 20-month grounding and production shutdown, combined with Covid, cost Boeing thousands of skilled workers. The pressure of its duopoly competition with Airbus plus customers clamoring for their backordered planes made management unwisely desperate to restart production. January's nonfatal door-plug blowout of an Alaska Airlines 737 appears to have been a one-off when Boeing workers failed to reinstall the plug properly after removing it to fix faulty fuselage rivets. Not a one-off, apparently, are faulty rivets as Boeing has strained to hire new staff and resume production of half-finished planes.

Boeing will sort out its troubles eventually by applying the oldest of manufacturing insights: Training, repetition, standardization and careful documentation are the way to error-free complex manufacturing.
As he sees it, "The second MAX crash caught Boeing up in a disorienting global media and political storm that it didn't know how to handle and, indeed, has handled fairly badly."

BleepingComputer reports on "a new denial-of-service attack dubbed 'Loop DoS' targeting application layer protocols."

According to their article, the attack "can pair network services into an indefinite communication loop that creates large volumes of traffic." Devised by researchers at the CISPA Helmholtz-Center for Information Security, the attack uses the User Datagram Protocol (UDP) and impacts an estimated 300,000 host and their networks. The attack is possible due to a vulnerability, currently tracked as CVE-2024-2169, in the implementation of the UDP protocol, which is susceptible to IP spoofing and does not provide sufficient packet verification. An attacker exploiting the vulnerability creates a self-perpetuating mechanism that generates excessive traffic without limits and without a way to stop it, leading to a denial-of-service (DoS) condition on the target system or even an entire network. Loop DoS relies on IP spoofing and can be triggered from a single host that sends one message to start the communication.

According to the Carnegie Mellon CERT Coordination Center (CERT/CC) there are three potential outcomes when an attacker leverages the vulnerability:

— Overloading of a vulnerable service and causing it to become unstable or unusable.
— DoS attack on the network backbone, causing network outages to other services.
— Amplification attacks that involve network loops causing amplified DOS or DDOS attacks.

CISPA researchers Yepeng Pan and Professor Dr. Christian Rossow say the potential impact is notable, spanning both outdated (QOTD, Chargen, Echo) and modern protocols (DNS, NTP, TFTP) that are crucial for basic internet-based functions like time synchronization, domain name resolution, and file transfer without authentication... The researchers warned that the attack is easy to exploit, noting that there is no evidence indicating active exploitation at this time. Rossow and Pan shared their findings with affected vendors and notified CERT/CC for coordinated disclosure. So far, vendors who confirmed their implementations are affected by CVE-2024-2169 are Broadcom, Cisco, Honeywell, Microsoft, and MikroTik.

To avoid the risk of denial of service via Loop DoS, CERT/CC recommends installing the latest patches from vendors that address the vulnerability and replace products that no longer receive security updates. Using firewall rules and access-control lists for UDP applications, turning off unnecessary UDP services, and implementing TCP or request validation are also measures that can mitigate the risk of an attack. Furthermore, the organization recommends deploying anti-spoofing solutions like BCP38 and Unicast Reverse Path Forwarding (uRPF), and using Quality-of-Service (QoS) measures to limit network traffic and protect against abuse from network loops and DoS amplifications.

"Microsoft confirmed that a memory leak introduced with the March 2024 Windows Server security updates is behind a widespread issue causing Windows domain controllers to crash," BleepingComputer reported Thursday.

Friday Microsoft wrote that the issue "was resolved in the out-of-band update KB5037422," only available via the Microsoft Update Catalog. (The update "is not available from Windows Update and will not install automatically.")

BleepingComputer reported the leak only affected "enterprise systems using the impacted Windows Server platform," and home users were not affected. But Microsoft confirmed it impacted all domain controller servers with the latest Windows Server 2012 R2, 2016, 2019, and 2022 updates: As BleepingComputer first reported on Wednesday and as many admins have warned over the last week, affected servers are freezing and restarting unexpectedly due to a Local Security Authority Subsystem Service (LSASS) process memory leak introduced with this month's cumulative updates.

"Since installation of the March updates (Exchange as well as regular Windows Server updates) most of our DCs show constantly increasing lsass memory usage (until they die)," one admin said.

"Our symptoms were ballooning memory usage on the lsass.exe process after installing KB5035855 (Server 2016) and KB5035857 (Server 2022) to the point that all physical and virtual memory was consumed and the machine hung," another Windows admin told BleepingComputer.
The leak "is observed when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests," Microsoft wrote. "Extreme memory leaks may cause LSASS to crash, which triggers an unscheduled reboot of underlying domain controllers..."

"We strongly recommend you do not apply the March 2024 security update on DCs and install KB5037422 instead..."

An anonymous reader quotes a report from Wired: Former president Donald Trump'sTruth Social, a shameless Twitter clone, is set to become a publicly traded company as soon as next week. Shareholders of Digital World Acquisition Corp. voted on Friday to merge with Trump Media and Technology Group, the company behind Truth Social. The vote is a culmination of a years-long saga attempting to merge Trump Media with a publicly traded company in what's known as a SPAC deal. The company will trade under the ticker DJT once it goes public. [...] Truth Social looks nearly identical to Twitter, with some key distinctions. Instead of "tweeting," users post a "truth." A "retweet" is called a "retruth." Unlike many right-wing Twitter clones, the site functions well, has remained mostly online, and actually appears to have a somewhat active user base. But since launching in February 2022, after Trump was kicked off of mainstream platforms for inciting violence during the January 6 riot at the Capitol, the company has been mired in controversy.

Jessica Lyons reports via The Register: Vulnerabilities in common Electronic Logging Devices (ELDs) required in US commercial trucks could be present in over 14 million medium- and heavy-duty rigs, according to boffins at Colorado State University. In a paper presented at the 2024 Network and Distributed System Security Symposium, associate professor Jeremy Daily and systems engineering graduate students Jake Jepson and Rik Chatterjee demonstrated how ELDs can be accessed over Bluetooth or Wi-Fi connections to take control of a truck, manipulate data, and spread malware between vehicles. "These findings highlight an urgent need to improve the security posture in ELD systems," the trio wrote [PDF].

The authors did not specify brands or models of ELDs that are vulnerable to the security flaws they highlight in the paper. But they do note there's not too much diversity of products on the market. While there are some 880 devices registered, "only a few tens of distinct ELD models" have hit the road in commercial trucks. A federal mandate requires most heavy-duty trucks to be equipped with ELDs, which track driving hours. These systems also log data on engine operation, vehicle movement and distances driven -- but they aren't required to have tested safety controls built in. And according to the researchers, they can be wirelessly manipulated by another car on the road to, for example, force a truck to pull over.

The academics pointed out three vulnerabilities in ELDs. They used bench level testing systems for the demo, as well as additional testing on a moving 2014 Kenworth T270 Class 6 research truck equipped with a vulnerable ELD. [...] For one of the attacks, the boffins showed how anyone within wireless range could use the device's Wi-Fi and Bluetooth radios to send an arbitrary CAN message that could disrupt of some of the vehicle's systems. A second attack scenario, which also required the attacker to be within wireless range, involved connecting to the device and uploading malicious firmware to manipulate data and vehicle operations. Finally, in what the authors described as the "most concerning" scenario, they uploaded a truck-to-truck worm. The worm uses the compromised device's Wi-Fi capabilities to search for other vulnerable ELDs nearby. After finding the right ELDs, the worm uses default credentials to establish a connection, drops its malicious code on the next ELD, overwrites existing firmware, and then starts the process over again, scanning for additional devices. "Such an attack could lead to widespread disruptions in commercial fleets, with severe safety and operational implications," the researchers warned.