Hackers Can Infect Over 100 Lenovo Models With Unremovable Malware

Lenovo has released security updates for more than 100 laptop models to fix critical vulnerabilities that make it possible for advanced hackers to surreptitiously install malicious firmware that can be next to impossible to remove or, in some cases, to detect. Ars Technica reports: Three vulnerabilities affecting more than 1 million laptops can give hackers the ability to modify a computer’s UEFI. Short for Unified Extensible Firmware Interface, the UEFI is the software that bridges a computer’s device firmware with its operating system. As the first piece of software to run when virtually any modern machine is turned on, it’s the initial link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and even harder to remove.

Two of the vulnerabilities — tracked as CVE-2021-3971 and CVE-2021-3972 — reside in UEFI firmware drivers intended for use only during the manufacturing process of Lenovo consumer notebooks. Lenovo engineers inadvertently included the drivers in the production BIOS images without being properly deactivated. Hackers can exploit these buggy drivers to disable protections, including UEFI secure boot, BIOS control register bits, and protected range register, which are baked into the serial peripheral interface (SPI) and designed to prevent unauthorized changes to the firmware it runs. After discovering and analyzing the vulnerabilities, researchers from security firm ESET found a third vulnerability, CVE-2021-3970. It allows hackers to run malicious firmware when a machine is put into system management mode, a high-privilege operating mode typically used by hardware manufacturers for low-level system management. “All three of the Lenovo vulnerabilities discovered by ESET require local access, meaning that the attacker must already have control over the vulnerable machine with unfettered privileges,” notes Ars Technica’s Dan Goodin. “The bar for that kind of access is high and would likely require exploiting one or more critical other vulnerabilities elsewhere that would already put a user at considerable risk.”

Still, it’s worth looking to see if you have an affected model and, if so, patch your computer as soon as possible.

Read more of this story at Slashdot.

Volla Phone 22 Runs Ubuntu Touch Or a Privacy-Focused Android Fork Or Both

The Volla Phone 22, a new smartphone available for preorder via a Kickstarter campaign, is unlike any other smartphone on the market today in that it ships with a choice of the Android-based Volla OS or the Ubuntu Touch mobile Linux distribution. “It also supports multi-boot functionality, allowing you to install more than one operating system and choose which to run at startup,” writes Liliputing’s Brad Linder. Some of the hardware specs include a 6.3-inch FHD+ display, a MediaTek Helio G85 processor, 4GB of RAM, 128GB storage, 3.5mm audio jack and a microSD card reader. There’s also a 48-megapixel main camera sensor and replaceable 4,500mAh battery. From the report: While Volla works with the folks at UBPorts to ensure its phones are compatible with Ubuntu Touch, the company develops the Android-based Volla OS in-house. It’s based on Google’s Android Open Source Project code, but includes a custom launcher, user interface, and set of apps with an emphasis on privacy. The Google Play Store is not included, as this is a phone aimed at folks who want to minimize tracking from big tech companies. Other Google apps and services like the Chrome web browser, Google Maps, Google Drive, and Gmail are also omitted. The upshot is that no user data is collected or stored by Volla, Google, or other companies unless you decide to install apps that track your data. Of course, that could make using the phone a little less convenient if you’ve come to rely on those apps, so the Volla Phone might not be the best choice for everyone.

Volla OS also has a built-in user-customizable firewall, an App Locker feature for disabling and hiding apps, and optional support for using the Hide.me VPN for anonymous internet usage. The source code for Volla OS is also available for anyone that wants to inspect the code. The operating system also has a custom user interface including a Springboard that allows you to quickly launch frequently-used apps by pressing a red dot for a list, or by starting to type in a search box for automatic suggestions such as placing a phone call, sending a text message, or opening a web page. You can also create notes or calendar events from the Springboard or send an encrypted message with Signal. The phone is expected to ship in June at an early bird price of about $408.

Read more of this story at Slashdot.

Rolls-Royce Expects UK Approval For Small Nuclear Reactors By Mid-2024

Rolls-Royce is to start building parts for its small modular nuclear reactors in anticipation of receiving regulatory approval from the British government by 2024, one of its directors has said. The Guardian reports: Paul Stein, the chairman of Rolls-Royce SMR, a subsidiary of the FTSE 100 engineering company, said he hoped to be providing power to the UK’s national grid by 2029. Speaking to Reuters in an interview conducted virtually, Stein said the regulatory “process has been kicked off, and will likely be complete in the middle of 2024. We are trying to work with the UK government, and others to get going now placing orders, so we can get power on grid by 2029.”

Small modular reactors (SMRs) are seen by their proponents as a way to build nuclear power plants in factories, a method that could be cheaper and quicker than traditional designs. The technology, based on the reactors used in nuclear submarines, is seen by Rolls-Royce as a potential earner far beyond any previous business such as jet engines or diesel motors. The government under Boris Johnson put nuclear power at the centre of its energy strategy announced earlier this month, in response to climate concerns and a desire to ditch Russian gas. SMRs are expected to play an important role in an expansion of nuclear to supply a quarter of the UK’s energy needs. Lower costs would be crucial in justifying the nuclear push, given that onshore wind is seen as much cheaper and quicker to install.

Read more of this story at Slashdot.

No 10 Suspected of Being Target of NSO Spyware Attack, Boris Johnson ‘Told’

Boris Johnson has been told his Downing Street office has been targeted with “multiple” suspected infections using Pegasus, the sophisticated hacking software that can turn a phone into a remote listening device, it was claimed on Monday. The Guardian reports: A report released by Citizen Lab at the University of Toronto said the United Arab Emirates was suspected of orchestrating spyware attacks on No 10 in 2020 and 2021. Pegasus is the hacking software — or spyware — developed, marketed and licensed to governments around the world by the Israeli firm NSO Group. It has the capability to infect phones running either iOS or Android operating systems. Citizen Lab added there had also been suspected attacks on the Foreign Office over the same two years that were also associated with Pegasus operators linked to the UAE — as well as India, Cyprus and Jordan.

The researchers, considered among the world’s leading experts in detecting digital attacks, announced they had taken the rare step of notifying Whitehall of the attack as it “believes that our actions can reduce harm.” However, they were not able to identify the specific individuals within No 10 and the Foreign Office who are suspected of having been hacked. “The suspected infections relating to the FCO were associated with Pegasus operators that we link to the UAE, India, Cyprus and Jordan. The suspected infection at the UK prime minister’s office was associated with a Pegasus operator we link to the UAE.”

Read more of this story at Slashdot.

Is GitHub Suspending the Accounts of Russian Developers at Sanctioned Companies?

“Russian software developers are reporting that their GitHub accounts are being suspended without warning if they work for or previously worked for companies under U.S. sanctions, writes Bleeping Computer:

According to Russian media outlets, the ban wave began on April 13 and didn’t discriminate between companies and individuals. For example, the GitHub accounts of Sberbank Technology, Sberbank AI Lab, and the Alfa Bank Laboratory had their code repositories initially disabled and are now removed from the platform…. Personal accounts suspended on GitHub have their content wiped while all repositories become immediately out of reach, and the same applies to issues and pull requests.

Habr.com [a Russian collaborative blog about IT] reports that some Russian developers contacted GitHub about the suspension and received an email titled ‘GitHub and Trade Controls’ that explained their account was disabled due to US sanctions. This email contains a link to a GitHub page explaining the company’s policies regarding sanctions and trade controls, which explains how a user can appeal their suspension. This appeal form requires the individual to certify that they do not use their GitHub account on behalf of a sanctioned entity. A developer posted to Twitter saying that he could remove the suspension after filling out the form and that it was due to his previous employer being sanctioned.
A GitHub blog post in March had promised to ensure the availability of open source services “to all, including developers in Russia.” So Bleeping Computer contacted a GitHub spokesperson, who explained this weekend that while GitHub may be required to restrict some users to comply with U.S. laws, “We examine government sanctions thoroughly to be certain that users and customers are not impacted beyond what is required by law.”
According to this, the suspended private accounts are either affiliated, collaborating, or working with/for sanctioned entities. However, even those who previously worked for a sanctioned company appear to be suspended by mistake.

This means that Russian users, in general, can suddenly find their projects wiped and accounts suspended, even if those projects have nothing to do with the sanctioned entities.

Read more of this story at Slashdot.

Ironic Effect of Efforts to Ban Books: Teenagers Form New Book Clubs to Read Them

CNN reports on “an ironic effect” of efforts to remove books from libraries in America. “The more certain books are singled out, the more people want to read them.”

And for some U.S. teenagers, “banned book clubs, recent book banning attempts have been a springboard for wider discussions around censorship.”
The Banned Book Club at Firefly Bookstore [started by 8th grader Joslyn Diffenbaugh] read George Orwell’s “Animal Farm” as its first pick. While the satirical novella, which makes a pointed critique of totalitarianism, isn’t one of the books currently being challenged in the US, it was banned in the Soviet Union until its fall and was rejected for publication in the UK during its wartime alliance with the USSR. And it faced challenges in Florida in the ’80s for being “pro-communist.” That history made for some thought-provoking conversations. “It taught a lot because it had references to different forms of government that maybe some adults didn’t like their kids reading about, even though it was run by pigs,” Diffenbaugh said. “I really thought it shouldn’t have been banned for those reasons, or at all.”

Teenagers at the Common Ground Teen Center in Washington, Pennsylvania, formed a banned book club soon after a Tennessee school district voted to remove “Maus” from an eighth grade curriculum. But while the graphic novel about the Holocaust was the catalyst for the club, says director Mary Jo Podgurski, the first title they chose to read was, fittingly, “Fahrenheit 451” — the 1953 dystopian novel about government censorship that itself has been challenged over the years. “Obviously this whole idea of taking away books that they wanted to read or that they thought they should read sparked a nerve in them,” said Podgurski, an educator and counselor who oversees the Common Ground Teen Center….

Since reading “Fahrenheit 451,” the club has also discussed “Animal Farm” and “1984,” which has been challenged for its political themes and sexual content. So far, the young readers at the Common Ground Teen Center have been puzzled as to why those books were once deemed inappropriate. “I often wonder, do adults understand what kids have in their phones?” Podgurski said. “They have access to everything. Saying ‘don’t read this book’ shows that you’re not understanding teen culture. Young people have access to much information. What they need is an adult to help them process it.”

Read more of this story at Slashdot.

Honda Hits 3D Printing Sites With Takedown Orders Over Honda-Compatible Parts

A writer for The Drive reports that “Recently, I noticed a part that I made for my Honda Accord was removed from Printables, the newly rebranded 3D printing repository offered by Prusa.
“There seemed to be no rhyme or reason for it, but I didn’t think anything else about it…until reports of a mass deletion started popping up on Reddit.”

All models referencing the word “Honda” posted prior to March 30, 2022, were seemingly removed from Printables without warning. These included speaker brackets, key housings, hood latches, shifter bushings, washer fluid caps, roof latch handles, and my trunk lid handle — a part not offered on 10th generation Accords sold in the U.S. at all. In fact, many of the removed parts had no Honda branding but were just compatible with Honda vehicles. As it turns out, Prusa says it was issued a takedown notice from Honda and removed all 3D models that referenced the brand.

“I can confirm to you that we have received a letter from a lawyer representing Honda, informing us that we were required to remove any model which used ‘Honda’ in the listing, the model itself, or one of several trademarks/logos also associated with Honda,” a Prusa spokesperson told The Drive in an email. “This will also be related to the naming of the files it self (sic), as for Honda this would be considered as a violation of their trademark/patents.” A Prusa employee responded to a post on the company’s forums, noting that Honda sent a “huge legal document” that covered every model that the company wished to have deleted. The document reportedly included items that did not have Honda logos, but also specific items with certain shapes and dimensions — like a washer fluid reservoir cap, for example.

A response from another employee was posted suggesting other sites that host 3D models were also sent a similar takedown notice.

Read more of this story at Slashdot.

Richard Stallman Speaks on the State of Free Software, and Answers Questions

Richard Stallman celebrated his 69th birthday last month. And Wednesday, he gave a 92-minute presentation called “The State of the Free Software Movement.”

Stallman began by thanking everyone who’s contributed to free software, and encouraged others who want to help to visit gnu.org/help. “The Free Software movement is universal, and morally should not exclude anyone. Because even though there are crimes that should be punished, cutting off someone from contributing to free software punishes the world. Not that person.”

And then he began by noting some things that have gotten better in the free software movement, including big improvements in projects like GNU Emacs when displaying external packages. (And in addition, “GNU Health now has a hospital management facility, which should make it applicable to a lot more medical organizations so they can switch to free software. And [Skype alternative] GNU Jami got a big upgrade.”)

What’s getting worse? Well, the libre-booted machines that we have are getting older and scarcer. Finding a way to support something new is difficult, because Intel and AMD are both designing their hardware to subjugate people. If they were basically haters of the public, it would be hard for them to do it much worse than they’re doing.

And Macintoshes are moving towards being jails, like the iMonsters. It’s getting harder for users to install even their own programs to run them. And this of course should be illegal. It should be illegal to sell a computer that doesn’t let users install software of their own from source code. And probably shouldn’t allow the computer to stop you from installing binaries that you get from others either, even though it’s true in cases like that, you’re doing it at your own risk. But tying people down, strapping them into their chairs so that they can’t do anything that hurts themselves — makes things worse, not better. There are other systems where you can find ways to trust people, that don’t depend on being under the power of a giant company.

We’ve seen problems sometimes where supported old hardware gets de-supported because somebody doesn’t think it’s important any more — it’s so old, how could that matter? But there are reasons…why old hardware sometimes remains very important, and people who aren’t thinking about this issue might not realize that…

Stallman also had some advice for students required by their schools to use non-free software like Zoom for their remote learning. “If you have to use a non-free program, there’s one last thing… which is to say in each class session, ‘I am bitterly ashamed of the fact that I’m using Zoom for this class.’ Just that. It’s a few seconds. But say it each time…. And over time, the fact that this is really important to you will sink in.”

And then halfway through, Stallman began taking questions from the audience…

Read on for Slashdot’s report on Stallman’s remarks, or jump ahead to…
How far should copyright law go? That NPM package that deleted files in Russia Does the free software world need more videogames? Stallman’s upcoming manual for ‘GNU C’ Free Software’s role in protecting our planet’s environment

Read more of this story at Slashdot.

Social Media Made Us Stupid – and How to Fix It

Jonathan Haidt, a social psychologist at the New York University’s School of Business, argues in the Atlantic that social-media platforms “trained users to spend more time performing and less time connecting.” But that was just the beginning.

He now believes this ultimately fueled a viral dynamic leading to “the continual chipping-away of trust” in a democracy which “depends on widely internalized acceptance of the legitimacy of rules, norms, and institutions.”

The most recent Edelman Trust Barometer (an international measure of citizens’ trust in government, business, media, and nongovernmental organizations) showed stable and competent autocracies (China and the United Arab Emirates) at the top of the list, while contentious democracies such as the United States, the United Kingdom, Spain, and South Korea scored near the bottom (albeit above Russia)…. Mark Zuckerberg may not have wished for any of that. But by rewiring everything in a headlong rush for growth — with a naive conception of human psychology, little understanding of the intricacy of institutions, and no concern for external costs imposed on society — Facebook, Twitter, YouTube, and a few other large platforms unwittingly dissolved the mortar of trust, belief in institutions, and shared stories that had held a large and diverse secular democracy together.
In the last 10 years, the article argues, the general public — at least in America — became “uniquely stupid.” And he’s not just speaking about the political right and left, but within both factions, “as well as within universities, companies, professional associations, museums, and even families.” The article quotes former CIA analyst Martin Gurri’s comment in 2019 that the digital revolution has highly fragmented the public into hostile shards that are “mostly people yelling at each other and living in bubbles of one sort or another.”

The article concludes that by now U.S. politics has entered a phase where truth “cannot achieve widespread adherence” and thus “nothing really means anything anymore–at least not in a way that is durable and on which people widely agree.” It even contemplates the idea of “highly believable” disinformation generated by AI, possibly by geopolitical adversaries, ultimately evolving into what the research manager at the Stanford Internet Observatory has described as “an Information World War in which state actors, terrorists, and ideological extremists leverage the social infrastructure underpinning everyday life to sow discord and erode shared reality.”

But then the article also suggests possible reforms:
The Facebook whistleblower Frances Haugen advocates for simple changes to the architecture of the platforms, rather than for massive and ultimately futile efforts to police all content. For example, she has suggested modifying the “Share” function on Facebook so that after any content has been shared twice, the third person in the chain must take the time to copy and paste the content into a new post. Reforms like this…don’t stop anyone from saying anything; they just slow the spread of content that is, on average, less likely to be true.
Perhaps the biggest single change that would reduce the toxicity of existing platforms would be user verification as a precondition for gaining the algorithmic amplification that social media offers. Banks and other industries have “know your customer” rules so that they can’t do business with anonymous clients laundering money from criminal enterprises. Large social-media platforms should be required to do the same…. This one change would wipe out most of the hundreds of millions of bots and fake accounts that currently pollute the major platforms…. Research shows that antisocial behavior becomes more common online when people feel that their identity is unknown and untraceable.

In any case, the growing evidence that social media is damaging democracy is sufficient to warrant greater oversight by a regulatory body, such as the Federal Communications Commission or the Federal Trade Commission. One of the first orders of business should be compelling the platforms to share their data and their algorithms with academic researchers.

The members of Gen Z–those born in and after 1997–bear none of the blame for the mess we are in, but they are going to inherit it, and the preliminary signs are that older generations have prevented them from learning how to handle it…. Congress should update the Children’s Online Privacy Protection Act, which unwisely set the age of so-called internet adulthood (the age at which companies can collect personal information from children without parental consent) at 13 back in 1998, while making little provision for effective enforcement. The age should be raised to at least 16, and companies should be held responsible for enforcing it. More generally, to prepare the members of the next generation for post-Babel democracy, perhaps the most important thing we can do is let them out to play. Stop starving children of the experiences they most need to become good citizens: free play in mixed-age groups of children with minimal adult supervision…

The article closes with its own note of hope — and a call to action:

In recent years, Americans have started hundreds of groups and organizations dedicated to building trust and friendship across the political divide, including BridgeUSA, Braver Angels (on whose board I serve), and many others listed at BridgeAlliance.us. We cannot expect Congress and the tech companies to save us. We must change ourselves and our communities.

Read more of this story at Slashdot.

GitHub Issues Security Alert After Spotting Misuse of Tokens Stolen from OAuth Integrators

GitHub issued a security alert Friday.
GitHub’s chief security officer wrote that on Tuesday, “GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm…”

We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats. Following immediate investigation, we disclosed our findings to Heroku and Travis-CI on April 13 and 14…

Looking across the entire GitHub platform, we have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps. Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure.

We are sharing this today as we believe the attacks may be ongoing and action is required for customers to protect themselves.

The initial detection related to this campaign occurred on April 12 when GitHub Security identified unauthorized access to our npm production infrastructure using a compromised AWS API key. Based on subsequent analysis, we believe this API key was obtained by the attacker when they downloaded a set of private npm repositories using a stolen OAuth token from one of the two affected third-party OAuth applications described above. Upon discovering the broader theft of third-party OAuth tokens not stored by GitHub or npm on the evening of April 13, we immediately took action to protect GitHub and npm by revoking tokens associated with GitHub and npm’s internal use of these compromised applications.

We believe that the two impacts to npm are unauthorized access to, and downloading of, the private repositories in the npm organization on GitHub.com and potential access to the npm packages as they exist in AWS S3 storage.

At this point, we assess that the attacker did not modify any packages or gain access to any user account data or credentials. We are still working to understand whether the attacker viewed or downloaded private packages.

npm uses completely separate infrastructure from GitHub.com; GitHub was not affected in this original attack. Though investigation continues, we have found no evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens.

Once GitHub identified stolen third-party OAuth tokens affecting GitHub users, GitHub took immediate steps to respond and protect users. GitHub contacted Heroku and Travis-CI to request that they initiate their own security investigations, revoke all OAuth user tokens associated with the affected applications, and begin work to notify their own users…. GitHub is currently working to identify and notify all of the known-affected victim users and organizations that we discovered through our analysis across GitHub.com. These customers will receive a notification email from GitHub with additional details and next steps to assist in their own response within the next 72 hours.
If you do not receive a notification, you and/or your organization have not been identified as affected.

You should, however, periodically review what OAuth applications you’ve authorized or are authorized to access your organization and prune anything that’s no longer needed.
You can also review your organization audit logs and user account security logs for unexpected or anomalous activity….

The security and trustworthiness of GitHub, npm, and the broader developer ecosystem is our highest priority. Our investigation is ongoing, and we will update this blog, and our communications with affected customers, as we learn more.

Read more of this story at Slashdot.