Vietnam Demands Big Tech Localize Data Storage and Offices

Vietnam’s Ministry of Information and Communications updated cybersecurity laws this week to mandate Big Tech and telecoms companies store user data locally, and control that data with local entities. The Register reports: The data affected goes beyond the basics of name, email, credit card information, phone number and IP address, and extends into social elements — including groups of which users are members, or the friends with whom they digitally interact. “Data of all internet users ranging from financial records and biometric data to information on people’s ethnicity and political views, or any data created by users while surfing the internet must be to stored domestically,” read the decree (PDF) issued Wednesday, as translated by Reuters. The decree applies to a wide swath of businesses including those providing telecom services, storing and sharing data in cyberspace, providing national or international domain names for users in Vietnam, e-commerce, online payments, payment intermediaries, transport connection services operating in cyberspace, social media, online video games, messaging services, and voice or video calls.

According to Article 26 of the government’s Decree 53, the new rules go into effect October 1, 2022 — around seven weeks from the date of its announcement. However, foreign companies have an entire 12 months in which to comply — beginning when they receive instructions from the Minister of Public Security. The companies are then required to store the data in Vietnam for a minimum of 24 months. System logs will need to be stored for 12 months. After this grace period, authorities reserve the right to make sure affected companies are following the law through investigations and data collection requests, as well as content removal orders. Further reading: Vietnam To Make Apple Watch, MacBook For First Time Ever

Read more of this story at Slashdot.

Erik Prince Wants To Sell You a ‘Secure’ Smartphone That’s Too Good To Be True

MIT Technology Review obtained Prince’s investor presentation for the “RedPill Phone,” which promises more than it could possibly deliver. From the report: Erik Prince’s pitch to investors was simple — but certainly ambitious: pay just 5 million euros and cure the biggest cybersecurity and privacy plagues of our day. The American billionaire — best known for founding the notorious private military firm Blackwater, which became globally infamous for killing Iraqi civilians and threatening US government investigators — was pushing Unplugged, a smartphone startup promising “free speech, privacy, and security” untethered from dominant tech giants like Apple and Google. In June, Prince publicly revealed the new phone, priced at $850. But before that, beginning in 2021, he was privately hawking the device to investors — using a previously unreported pitch deck that has been obtained by MIT Technology Review. It boldly claims that the phone and its operating system are “impenetrable” to surveillance, interception, and tampering, and its messenger service is marketed as “impossible to intercept or decrypt.”

Boasting falsely that Unplugged has built “the first operating system free of big tech monetization and analytics,” Prince bragged that the device is protected by “government-grade encryption.” Better yet, the pitch added, Unplugged is to be hosted on a global array of server farms so that it “can never be taken offline.” One option is said to be a server farm “on a vessel” located in an “undisclosed location on international waters, connected via satellite to Elon Musk’s StarLink.” An Unplugged spokesperson explained that “they benefit in having servers not be subject to any governmental law.” The Unplugged investor pitch deck is a messy mix of these impossible claims, meaningless buzzwords, and outright fiction. While none of the experts I spoke with had yet been able to test the phone or read its code, because the company hasn’t provided access, the evidence available suggests Unplugged will fall wildly short of what’s promised.

[…] The UP Phone’s operating system, called LibertOS, is a proprietary version of Google’s Android, according to an Unplugged spokesperson. It’s running on an unclear mix of hardware that a company spokesperson says they’ve designed on their own. Even just maintaining a unique Android “fork” — a version of the operating system that departs from the original, like a fork in the road — is a difficult endeavor that can cost massive money and resources, experts warn. For a small startup, that can be an insurmountable challenge. […] Another key issue is life span. Apple’s iPhones are considered the most secure consumer device on the market due in part to the fact that the company offers security updates to some of its older phones for six years, longer than virtually all competitors. When support for a phone ends, security vulnerabilities go unaddressed, and the phone is no longer secure. There is no information available on how long UP Phones will receive security support. “There are two things happening here,” says Allan Liska, a cyberintelligence analyst at the cybersecurity firm Recorded Future. “There are the actual attempts to make real secure phones, and then there is the marketing BS. Distinguishing between those two can be really hard.”

“When I worked in US intelligence, we [penetrated] a number of phone companies overseas,” says Liska. “We were inside those phone companies. We could easily track people based on where they connected to the towers. So when you talk about being impenetrable, that’s wrong. This is a phone, and the way that phones work is they triangulate to cell towers, and there is always latitude and longitude for exactly where you’re sitting,” he adds. “Nothing you do to the phone is going to change that.”

The UP Phone is due out in November 2022.

Read more of this story at Slashdot.

Google’s New Bug Bounties Include Their Custom Linux Kernel’s Experimental Security Mitigations

Google uses Linux “in almost everything,” according to the leader of Google’s “product security response” team — including Chromebooks, Android smartphones, and even Google Cloud.

“Because of this, we have heavily invested in Linux’s security — and today, we’re announcing how we’re building on those investments and increasing our rewards.”

In 2020, we launched an open-source Kubernetes-based Capture-the-Flag (CTF) project called, kCTF. The kCTF Vulnerability Rewards Program lets researchers connect to our Google Kubernetes Engine (GKE) instances, and if they can hack it, they get a flag, and are potentially rewarded.

All of GKE and its dependencies are in scope, but every flag caught so far has been a container breakout through a Linux kernel vulnerability.

We’ve learned that finding and exploiting heap memory corruption vulnerabilities in the Linux kernel could be made a lot harder. Unfortunately, security mitigations are often hard to quantify, however, we think we’ve found a way to do so concretely going forward….

First, we are indefinitely extending the increased reward amounts we announced earlier this year, meaning we’ll continue to pay $20,000 — $91,337 USD for vulnerabilities on our lab kCTF deployment to reward the important work being done to understand and improve kernel security. This is in addition to our existing patch rewards for proactive security improvements.

Second, we’re launching new instances with additional rewards to evaluate the latest Linux kernel stable image as well as new experimental mitigations in a custom kernel we’ve built. Rather than simply learning about the current state of the stable kernels, the new instances will be used to ask the community to help us evaluate the value of both our latest and more experimental security mitigations. Today, we are starting with a set of mitigations we believe will make most of the vulnerabilities (9/10 vulns and 10/13 exploits) we received this past year more difficult to exploit. For new exploits of vulnerabilities submitted which also compromise the latest Linux kernel, we will pay an additional $21,000 USD. For those which compromise our custom Linux kernel with our experimental mitigations, the reward will be another $21,000 USD (if they are clearly bypassing the mitigations we are testing). This brings the total rewards up to a maximum of $133,337 USD.

We hope this will allow us to learn more about how hard (or easy) it is to bypass our experimental mitigations…..

With the kCTF VRP program, we are building a pipeline to analyze, experiment, measure and build security mitigations to make the Linux kernel as safe as we can with the help of the security community. We hope that, over time, we will be able to make security mitigations that make exploitation of Linux kernel vulnerabilities as hard as possible.

“We don’t care about vulnerabilities; we care about exploits,” Vela told the Register. “We expect the vulnerabilities are there, they will get patched, and that’s nice and all. But the whole idea is what do to beyond just patching a couple of vulnerabilities.”
In total, Google paid out $8.7 million in rewards to almost 700 researchers across its various VPRs last year. “We are just one actor in the whole community that happens to have economic resources, financial resources, but we need the community to help us make the Kernel better,” Vela said.

“If the community is engaged and helps us validate the mitigations that we have, then, we will continue growing on top of that. But the whole idea is that we need to see where the community wants us to go with this….”

[I]t’s not always about the cash payout, according to Vela, and different bug hunters have different motivations. Some want money, some want fame and some just want to solve an interesting problem, Vela said. “We are trying to find the right combination to captivate people.”

Read more of this story at Slashdot.

Linux 6.0 Arrives With Performance Improvements and More Rust Coming

Linux creator Linus Torvalds has announced the first release candidate for the Linux kernel version 6.0, but he says the major number change doesn’t signify anything especially different about this release. ZDNet: While there is nothing fundamentally different about this release compared with 5.19, Torvalds noted that there were over 13,500 non-merge commits and over 800 merged commits, meaning “6.0 looks to be another fairly sizable release.” According to Torvalds, most of the updates are improvements to the GPU, networking and sound. Torvalds stuck to his word after releasing Linux kernel 5.19 last month, when he flagged he would likely call the next release 6.0 because he’s “starting to worry about getting confused by big numbers again.”

On Sunday’s release of Linux 6.0 release candidate version 1 (rc-1), he explained his reasoning behind choosing a new major version number and its purpose for developers. Again, it’s about avoiding confusion rather than signaling that the release has major new features. His threshold for changing the lead version number was .20 because it is difficult to remember incremental version numbers beyond that. “Despite the major number change, there’s nothing fundamentally different about this release – I’ve long eschewed the notion that major numbers are meaningful, and the only reason for a ‘hierarchical; numbering system is to make the numbers easier to remember and distinguish,” said Torvalds. Torvalds lamented some Rust-enabling code didn’t make it into the release. The Register adds: “I actually was hoping that we’d get some of the first rust infrastructure, and the multi-gen LRU VM, but neither of them happened this time around,” he mused, before observing “There’s always more releases. This is one of those releases where you should not look at the diffstat too closely, because more than half of it is yet another AMD GPU register dump,” he added, noting that Intel’s Gaudi2 Ai processors are also likely to produce plenty of similar kernel additions. “The CPU people also show up in the JSON files that describe the perf events, but they look absolutely tiny compared to the ‘asic_reg’ auto-generated GPU and AI hardware definitions,” he added.

Read more of this story at Slashdot.

San Francisco Restaurant Claims To Be First To Run Entirely By Robots

Mezli isn’t the first automated restaurant to roll out in San Francisco, but, at least according to its three co-founders, it’s the first to remove humans entirely from the on-site operation equation. Eater SF reports: About two years and a few million dollars later, Mezli co-founders Alex Kolchinski, Alex Gruebele, and Max Perham are days away from firing up the touch screens at what they believe to be the world’s first fully robotic restaurant. To be clear, Mezli isn’t a restaurant in the traditional sense. As in, you won’t be able to pull up a seat and have a friendly server — human, robot, or otherwise — take your order and deliver your food. Instead, Mezli works more like if a vending machine and a restaurant had a robot baby, Kolchinski describes. It’s a way to get fresh food to a lot of people, really fast (the box can pump out about 75 meals an hour), and, importantly, at a lower price; the cheapest Mezli bowl starts at $6.99.

On its face, the concept actually sounds pretty simple. The co-founders built what’s essentially a big, refrigerated shipping container and stuffed it with machines capable of portioning out ingredients, putting those ingredients into bowls, heating the food up, and then moving it to a place where diners can get to it. But in a technical sense, the co-founders say it was quite difficult to work out. Most automated restaurants still require humans in some capacity; maybe people take orders while robots make the food or, vice versa, with automated ordering and humans prepping food behind the scenes. But Mezli can run on its own, serving hundreds of meals without any human staff.

The food does get prepped and pre-cooked off-site by good old-fashioned carbon-based beings. Mezli founding chef Eric Minnich, who previously worked at Traci Des Jardins’s the Commissary and at Michelin-starred Madera at Rosewood Sand Hill hotel, says he and a lean team of just two other people can handle all the chopping, mixing, cooking, and portioning at a commissary kitchen. Then, once a day, they load all the menu components into the big blue-and-white Mezli box. Inside the box, there’s an oven that either brings the ingredients up to temp or finishes up the last of the cooking. Cutting down on labor marks a key cost-saving measure in the Mezli business model; with just a fraction of the staff, as in less than a half dozen workers, Mezli can serve hundreds of meals. “The fully robot-run restaurant begins taking orders and sliding out Mediterranean grain bowls by the end of this week with plans to celebrate a grand opening on August 28 at Spark Social,” notes Eater.

Read more of this story at Slashdot.

Impact Crater May Be Dinosaur Killer’s Baby Cousin

Researchers have discovered a second impact crater on the other side of the Atlantic that could have finished off what was left of the dinosaurs, after an asteroid known as Chicxulub slammed into what is now the Gulf of Mexico 66 million years ago. The BBC reports: Dubbed Nadir Crater, the new feature sits more than 300m below the seabed, some 400km off the coast of Guinea, west Africa. With a diameter of 8.5km, it’s likely the asteroid that created it was a little under half a kilometre across. The hidden depression was identified by Dr Uisdean Nicholson from Heriot-Watt University, Edinburgh, UK. […] “Our simulations suggest this crater was caused by the collision of a 400m-wide asteroid in 500-800m of water,” explained Dr Veronica Bray from the University of Arizona, US. “This would have generated a tsunami over one kilometre high, as well as an earthquake of Magnitude 6.5 or so. “The energy released would have been around 1,000 times greater than that from the January 2022 eruption and tsunami in Tonga.”

Dr Nicholson’s team has to be cautious about tying the two impacts together. Nadir has been given a very similar date to Chicxulub based on an analysis of fossils of known age that were drilled from a nearby borehole. But to make a definitive statement, rocks in the crater itself would need to be pulled up and examined. This would also confirm Nadir is indeed an asteroid impact structure and not some other, unrelated feature caused by, for example, ancient volcanism. […] Prof Sean Gulick, who co-led the recent project to drill into the Chicxulub Crater, said Nadir might have fallen to Earth on the same day. Or it might have struck the planet a million or two years either side of the Mexican cataclysm. Scientists will only know for sure when rocks from the west African crater are inspected in the lab. “A much smaller cousin, or sister, doesn’t necessarily add to what we know about the dinosaurs’ extinction, but it does add to our understanding of the astronomical event that was Chicxulub,” the University of Texas at Austin researcher told BBC News.

Read more of this story at Slashdot.

Microsoft Employees Exposed Own Company’s Internal Logins

Multiple people who appear to be employees of Microsoft have exposed sensitive login credentials to the company’s own infrastructure on GitHub, potentially offering attackers a gateway into internal Microsoft systems, according to a cybersecurity research firm that found the exposed credentials. Motherboard reports: “We continue to see that accidental source code and credential leakages are part of the attack surface of a company, and it’s becoming more and more difficult to identify in a timely and accurate manner. This is a very challenging issue for most companies these days,” Mossab Hussein, chief security officer at cybersecurity firm spiderSilk which discovered the issue, told Motherboard in an online chat. Hussein provided Motherboard with seven examples in total of exposed Microsoft logins. All of these were credentials for Azure servers. Azure is Microsoft’s cloud computer service and is similar to Amazon Web Services. All of the exposed credentials were associated with an official Microsoft tenant ID. A tenant ID is a unique identifier linked to a particular set of Azure users. One of the GitHub users also listed Microsoft on their profile.

Three of the seven login credentials were still active when spiderSilk discovered them, with one seemingly uploaded just days ago at the time of writing. The other four sets of credentials were no longer active but still highlighted the risk of workers accidentally uploading keys for internal systems. Microsoft refused to elaborate on what systems the credentials were protecting when asked multiple times by Motherboard. But generally speaking, an attacker may have an opportunity to move onto other points of interest after gaining initial access to an internal system. One of the GitHub profiles with exposed and active credentials makes a reference to the Azure DevOps code repository. Highlighting the risk that such credentials may pose, in an apparently unrelated hack in March attackers gained access to an Azure DevOps account and then published a large amount of Microsoft source code, including for Bing and Microsoft’s Cortana assistant. “We’ve investigated and have taken action to secure these credentials,” said a Microsoft spokesperson in a statement. “While they were inadvertently made public, we haven’t seen any evidence that sensitive data was accessed or the credentials were used improperly. We’re continuing to investigate and will continue to take necessary steps to further prevent inadvertent sharing of credentials.”

Read more of this story at Slashdot.