New ‘GoFetch’ Apple CPU Attack Exposes Crypto Keys

“There is a new side channel attack against Apple ‘M’ series CPUs that does not appear to be fixable without a major performance hit,” writes Slashdot reader EncryptedSoldier. SecurityWeek reports: A team of researchers representing several universities in the United States has disclosed the details of a new side-channel attack method that can be used to extract secret encryption keys from systems powered by Apple CPUs. The attack method, dubbed GoFetch, has been described as a microarchitectural side-channel attack that allows the extraction of secret keys from constant-time cryptographic implementations. These types of attacks require local access to the targeted system. The attack targets a hardware optimization named data memory-dependent prefetcher (DMP), which attempts to prefetch addresses found in the contents of program memory to improve performance.

The researchers have found a way to use specially crafted cryptographic operation inputs that allow them to infer secret keys, guessing them bits at a time by monitoring the behavior of the DMP. They managed to demonstrate end-to-end key extraction attacks against several crypto implementations, including OpenSSL Diffie-Hellman Key Exchange, Go RSA, and the post-quantum CRYSTALS-Kyber and CRYSTALS-Dilithium. The researchers have conducted successful GoFetch attacks against systems powered by Apple M1 processors, and they have found evidence that the attack could also work against M2 and M3 processors. They have also tested an Intel processor that uses DMP, but found that it’s ‘more robust’ against such attacks.

The experts said Apple is investigating the issue, but fully addressing it does not seem trivial. The researchers have proposed several countermeasures, but they involve hardware changes that are not easy to implement or mitigations that can have a significant impact on performance. Apple told SecurityWeek that it thanks the researchers for their collaboration as this work advances the company’s understanding of these types of threats. The tech giant also shared a link to a developer page that outlines one of the mitigations mentioned by the researchers. The researchers have published a paper (PDF) detailing their work.

Ars Technica’s Dan Goodin also reported on the vulnerability.

Read more of this story at Slashdot.

Users Shocked To Find Instagram Limits Political Content By Default

Instagram has been limiting recommended political content by default without notifying users. Ars Technica reports: Instead, Instagram rolled out the change in February, announcing in a blog that the platform doesn’t “want to proactively recommend political content from accounts you don’t follow.” That post confirmed that Meta “won’t proactively recommend content about politics on recommendation surfaces across Instagram and Threads,” so that those platforms can remain “a great experience for everyone.” “This change does not impact posts from accounts people choose to follow; it impacts what the system recommends, and people can control if they want more,” Meta’s spokesperson Dani Lever told Ars. “We have been working for years to show people less political content based on what they told us they want, and what posts they told us are political.”

To change the setting, users can navigate to Instagram’s menu for “settings and activity” in their profiles, where they can update their “content preferences.” On this menu, “political content” is the last item under a list of “suggested content” controls that allow users to set preferences for what content is recommended in their feeds. There are currently two options for controlling what political content users see. Choosing “don’t limit” means “you might see more political or social topics in your suggested content,” the app says. By default, all users are set to “limit,” which means “you might see less political or social topics.” “This affects suggestions in Explore, Reels, Feed, Recommendations, and Suggested Users,” Instagram’s settings menu explains. “It does not affect content from accounts you follow. This setting also applies to Threads.” “Did [y’all] know Instagram was actively limiting the reach of political content like this?!” an X user named Olayemi Olurin wrote in an X post. “I had no idea ’til I saw this comment and I checked my settings and sho nuff political content was limited.”

“This is actually kinda wild that Instagram defaults everyone to this,” another user wrote. “Obviously political content is toxic but during an election season it’s a little weird to just hide it from everyone?”

Read more of this story at Slashdot.

Windows 11 Notepad Finally Gets Spellcheck and Autocorrect

Microsoft today announced a preview release of Windows Notepad, with built-in spellchecking and an autocorrect feature. BleepingComputer reports: Microsoft says they are rolling out this preview to Insiders in the Windows 11 Canary and Dev channels, but it may take some time before it’s available for everyone. “With this update, Notepad will now highlight misspelled words and provide suggestions so that you can easily identify and correct mistakes,” reads Microsoft’s announcement. “We are also introducing autocorrect which seamlessly fixes common typing mistakes as you type.”

Once installed, Notepad will now show a red squiggly line under misspelled words that, when clicked, shows suggestions on the correct spelling. It’s also possible to ignore words in a single text document or add them to the global dictionary so they are not shown in the future.

Microsoft says that this feature will be turned off for log and source code files. This is because it’s common for non-standard words to be used in these files, triggering multiple spellcheck errors. Users can control this setting globally or for specific file types in the Notepad app’s settings. The autocorrect feature is a bit more seamless, automatically making small changes to grammar and punctuation as you type.

Read more of this story at Slashdot.

Apple Launches All-In-One ‘Manuals, Specs, and Downloads’ Website

Redis To Adopt ‘Source-Available Licensing’ Starting With Next Version

Longtime Slashdot reader jgulla shares an announcement from Redis: Beginning today, all future versions of Redis will be released with source-available licenses. Starting with Redis 7.4, Redis will be dual-licensed under the Redis Source Available License (RSALv2) and Server Side Public License (SSPLv1). Consequently, Redis will no longer be distributed under the three-clause Berkeley Software Distribution (BSD). The new source-available licenses allow us to sustainably provide permissive use of our source code.

We’re leading Redis into its next phase of development as a real-time data platform with a unified set of clients, tools, and core Redis product offerings. The Redis source code will continue to be freely available to developers, customers, and partners through Redis Community Edition. Future Redis source-available releases will unify core Redis with Redis Stack, including search, JSON, vector, probabilistic, and time-series data models in one free, easy-to-use package as downloadable software. This will allow anyone to easily use Redis across a variety of contexts, including as a high-performance key/value and document store, a powerful query engine, and a low-latency vector database powering generative AI applications. […]

Under the new license, cloud service providers hosting Redis offerings will no longer be permitted to use the source code of Redis free of charge. For example, cloud service providers will be able to deliver Redis 7.4 only after agreeing to licensing terms with Redis, the maintainers of the Redis code. These agreements will underpin support for existing integrated solutions and provide full access to forthcoming Redis innovations. In practice, nothing changes for the Redis developer community who will continue to enjoy permissive licensing under the dual license. At the same time, all the Redis client libraries under the responsibility of Redis will remain open source licensed. Redis will continue to support its vast partner ecosystem — including managed service providers and system integrators — with exclusive access to all future releases, updates, and features developed and delivered by Redis through its Partner Program. There is no change for existing Redis Enterprise customers.

Read more of this story at Slashdot.

Epic Games Store To Launch On iOS and Android This Year, Will Take 12% Cut of Sales In EU

During its State of Unreal presentation at GDC 2024 today, Epic Games confirmed its plans to bring the Epic Games Store to iOS and Android before the end of the year. The company also shared more details about its app marketplace for iOS in the European Union. As reported by 9to5Mac, Epic Games said it will take a 12% commission from sales. From the report: Epic says the terms for developers will be the same via the Epic Games Store on mobile as they are on the Epic Games Store on PC. As such, the company will take a 12% commission on all sales through the Epic Games Store. The revenue share is 100% for the developer during the first six months on the Epic Games Store. The Epic Games Store will feature Epic’s own content, including Fortnite, alongside a selection of third-party partners. The company says it will share additional details in the lead-up to the launch later this year.

Read more of this story at Slashdot.

EPA Sets Strict New Limits On Tailpipe Emissions That Could Boost EV Sector

sinij shares a report from the New York Post: The Biden administration finalized its crackdown on gas cars Wednesday, with the Environmental Protection Agency announcing drastic climate regulations meant to ensure more than two-thirds of passenger cars and light trucks sold by 2032 are electric or hybrid vehicles. The EPA rule imposes strict limits on tailpipe pollution, limits the agency says can be met if 56% of new vehicles sold in the US are electric by eight years from now, along with 13% that are plug-in hybrids or other partially electric cars. That would be a huge increase over current EV sales, which rose to 7.6% of new vehicle sales last year, up from 5.8% in 2022. […] The new rule slows implementation of stricter pollution standards from 2027 through 2029, before ramping up to near the level the EPA preferred by 2032. “Personal car ownership is about to get A LOT more expensive as it will have to carry the costs of deep discounts to entice EV sales,” adds Slashdot reader sinij.

Read more of this story at Slashdot.

Woman With $2.5 Billion In Bitcoin Convicted of Money Laundering

mrspoonsi shares a report from the BBC: A former takeaway worker found with Bitcoin worth more than $2.5 billion has been convicted at Southwark Crown Court of a crime linked to money laundering. Jian Wen, 42, from Hendon in north London, was involved in converting the currency into assets including multi-million-pound houses and jewelry. On Monday she was convicted of entering into or becoming concerned in a money laundering arrangement. The Met said the seizure is the largest of its kind in the UK.

Although Wen was living in a flat above a Chinese restaurant in Leeds when she became involved in the criminal activity, her new lifestyle saw her move into a six-bedroom house in north London in 2017 which was rented for more than $21,000 per month. She posed as an employee of an international jewelry business and moved her son to the UK to attend private school, the Crown Prosecution Service (CPS) said. That same year, Wen tried to buy a string of expensive houses in London, but struggled to pass money-laundering checks and her claims she had earned millions legitimately mining Bitcoin were not believed. She later travelled abroad, buying jewelry worth tens of thousands of pounds in Zurich, and purchasing properties in Dubai in 2019.

Another suspect is thought to be behind the fraud but they remain at large. The Met said it carried out a large scale investigation as part of the case – searching several addresses, reviewing 48 electronic devices, and examining thousands of digital files including many which were translated from Mandarin. The CPS has obtained a freezing order from the High Court, while it carries out a civil recovery investigation that could lead to the forfeiture of the Bitcoin. The value of the Bitcoin was worth around $2.5 billion at the time of initial estimates — but due to the fluctuation in the currency’s value, it has since increased to around $4.3 billion.

Read more of this story at Slashdot.

Nvidia’s Jensen Huang Says AGI Is 5 Years Away

Haje Jan Kamps writes via TechCrunch: Artificial General Intelligence (AGI) — often referred to as “strong AI,” “full AI,” “human-level AI” or “general intelligent action” — represents a significant future leap in the field of artificial intelligence. Unlike narrow AI, which is tailored for specific tasks (such as detecting product flaws, summarize the news, or build you a website), AGI will be able to perform a broad spectrum of cognitive tasks at or above human levels. Addressing the press this week at Nvidia’s annual GTC developer conference, CEO Jensen Huang appeared to be getting really bored of discussing the subject — not least because he finds himself misquoted a lot, he says. The frequency of the question makes sense: The concept raises existential questions about humanity’s role in and control of a future where machines can outthink, outlearn and outperform humans in virtually every domain. The core of this concern lies in the unpredictability of AGI’s decision-making processes and objectives, which might not align with human values or priorities (a concept explored in depth in science fiction since at least the 1940s). There’s concern that once AGI reaches a certain level of autonomy and capability, it might become impossible to contain or control, leading to scenarios where its actions cannot be predicted or reversed.

When sensationalist press asks for a timeframe, it is often baiting AI professionals into putting a timeline on the end of humanity — or at least the current status quo. Needless to say, AI CEOs aren’t always eager to tackle the subject. Predicting when we will see a passable AGI depends on how you define AGI, Huang argues, and draws a couple of parallels: Even with the complications of time-zones, you know when new year happens and 2025 rolls around. If you’re driving to the San Jose Convention Center (where this year’s GTC conference is being held), you generally know you’ve arrived when you can see the enormous GTC banners. The crucial point is that we can agree on how to measure that you’ve arrived, whether temporally or geospatially, where you were hoping to go. “If we specified AGI to be something very specific, a set of tests where a software program can do very well — or maybe 8% better than most people — I believe we will get there within 5 years,” Huang explains. He suggests that the tests could be a legal bar exam, logic tests, economic tests or perhaps the ability to pass a pre-med exam. Unless the questioner is able to be very specific about what AGI means in the context of the question, he’s not willing to make a prediction. Fair enough.

Read more of this story at Slashdot.