Novel Attack Against Virtually All VPN Apps Neuters Their Entire Purpose

Researchers have discovered a new attack that can force VPN applications to route traffic outside the encrypted tunnel, thereby exposing the user’s traffic to potential snooping or manipulation. This vulnerability, named TunnelVision, is found in almost all VPNs on non-Linux and non-Android systems. It’s believe that the vulnerability “may have been possible since 2002 and may already have been discovered and used in the wild since then,” reports Ars Technica. From the report: The effect of TunnelVision is “the victim’s traffic is now decloaked and being routed through the attacker directly,” a video demonstration explained. “The attacker can read, drop or modify the leaked traffic and the victim maintains their connection to both the VPN and the Internet.” The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel. By using option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself. […]

The attack can most effectively be carried out by a person who has administrative control over the network the target is connecting to. In that scenario, the attacker configures the DHCP server to use option 121. It’s also possible for people who can connect to the network as an unprivileged user to perform the attack by setting up their own rogue DHCP server. The attack allows some or all traffic to be routed through the unencrypted tunnel. In either case, the VPN application will report that all data is being sent through the protected connection. Any traffic that’s diverted away from this tunnel will not be encrypted by the VPN and the Internet IP address viewable by the remote user will belong to the network the VPN user is connected to, rather than one designated by the VPN app.

Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn’t implement option 121. For all other OSes, there are no complete fixes. When apps run on Linux there’s a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks. Network firewalls can also be configured to deny inbound and outbound traffic to and from the physical interface. This remedy is problematic for two reasons: (1) a VPN user connecting to an untrusted network has no ability to control the firewall and (2) it opens the same side channel present with the Linux mitigation. The most effective fixes are to run the VPN inside of a virtual machine whose network adapter isn’t in bridged mode or to connect the VPN to the Internet through the Wi-Fi network of a cellular device. You can learn more about the research here.

Read more of this story at Slashdot.

Microsoft’s ‘Responsible AI’ Chief Worries About the Open Web

From the Washington Post’s “Technology 202” newsletter:

As tech giants move toward a world in which chatbots supplement, and perhaps supplant, search engines, the Microsoft executive assigned to make sure AI is used responsibly said the industry has to be careful not to break the business model of the wider web. Search engines citing and linking to the websites they draw from is “part of the core bargain of search,” [Microsoft’s chief Responsible AI officer] said in an interview Monday….

“It’s really important to maintain a healthy information ecosystem and recognize it is an ecosystem. And so part of what I will continue to guide our Microsoft teams toward is making sure that we are citing back to the core webpages from which the content is sourced. Making sure that we’ve got that feedback loop happening. Because that is part of the core bargain of search, right? And I think it’s critical to make sure that we are both providing users with new engaging ways to interact, to explore new ideas — but also making sure that we are building and supporting the great work of our creators.”

Asked about lawsuits alleging copyright use without permission, they said “We believe that there are strong grounds under existing laws to train models.”

But they also added those lawsuits are “asking legitimate questions” about where the boundaries are, “for which the courts will provide answers in due course.”

Read more of this story at Slashdot.

Scientists Find a ‘Missing Link’ Between Poor Diet and Higher Cancer Risk

Science Alert reports that a team of researchers found “that changes in glucose metabolism could help cancer grow by temporarily disabling a gene that protects us from tumors called BRCA2.”

The team first examined people who inherited one faulty copy of BRCA2. They found that cells from these people were more sensitive to methylglyoxal (MGO), which is produced when cells break down glucose for energy in the process of glycolysis. Glycolysis generates over 90 percent of the MGO in cells, which a pair of enzymes typically keep to minimal levels. In the event they can’t keep up, high MGO levels can lead to the formation of harmful compounds that damage DNA and proteins. In conditions like diabetes, where MGO levels are elevated due to high blood sugar, these harmful compounds contribute to disease complications.

The researchers discovered that MGO can temporarily disable the tumor-suppressing functions of the BRCA2 protein, resulting in mutations linked to cancer development…

As the BRCA2 allele isn’t permanently inactivated, functional forms of the protein it produces can later return to normal levels. But cells repeatedly exposed to MGO may continue to accumulate cancer-causing mutations whenever existing BRCA2 protein production fails. Overall, this suggests that changes in glucose metabolism can disrupt BRCA2 function via MGO, contributing to the development and progression of cancer…

This new information may lead to strategies for cancer prevention or early detection. “Methylglyoxal can be easily detected by a blood test for HbA1C, which could potentially be used as a marker,” Venkitaraman says. “Furthermore, high methylglyoxal levels can usually be controlled with medicines and a good diet, creating avenues for proactive measures against the initiation of cancer.”

Their research has been published in Cell.

Read more of this story at Slashdot.

Can Technology Help Reduce Drunk-Driving Deaths?

An anonymous reader shared this report from the Wall Street Journal:
Drunken-driving deaths in the U.S. have risen to levels not seen in nearly two decades, federal data show, a major setback to long-running road-safety efforts. At the same time, arrests for driving under the influence have plummeted, as police grapple with challenges like hiring woes and heightened concern around traffic stops… About 13,500 people died in alcohol impairment-related crashes in 2022, according to data released in April by the National Highway Traffic Safety Administration. That is 33% above 2019’s toll and on par with 2021’s. The last time so many people died as a result of accidents involving intoxicated drivers was in 2006.
That’s still down from the early 1980s, when America was seeing over 20,000 drunk-driving deaths a year, according to the article. “By 2010, that number had fallen to around 10,000 thanks to high-profile public-education campaigns by groups like MADD, tougher laws, and aggressive enforcement that included sobriety checkpoints and typically yielded well over a million DUI arrests annually.”
But some hope to solve the problem using technology:
Many activists and policymakers are banking on the promise of built-in devices to prevent a car from starting if the driver is intoxicated, either by analyzing a driver’s exhaled breath or using skin sensors to gauge the blood-alcohol level. NHTSA issued a notice in December that it said lays the groundwork for potential alcohol-impairment detection technology standards in all new cars “when the technology is mature.”
And Glenn Davis, who manages Colorado’s highway-safety office, “pointed to Colorado’s extensive use of ignition interlock systems that require people convicted of DUI to blow into a tube to verify they are sober in order for their car to start. He said the office promotes nondriving options such as Lyft and Uber.”

Read more of this story at Slashdot.

Multinational ISP Offers $206M In Secured Notes Backed By IPv4 Addresses

CircleID reports that Multinational internet service provider Cogent recently announced that it was offering $206 million in secured notes (a corporate bond backed by assets). “The unusual part is what it’s using as security: some of its IPv4 addresses and the leases on those IPv4 addresses.”

All internet service providers (ISPs) give IP addresses to their users, but Cogent was among the first to lease those addresses independently of internet access. (Internet access customers normally require a unique address as part of their service.) Sources are hard to find, but prevailing wisdom is that they have over 10M addresses leased for about $0.30 per month, or $36M per year in revenue.
The notes are expected to be repaid in five years.

Thanks to long-time Slashdot reader penciling_in for sharing the article.

Read more of this story at Slashdot.

U.S. Seeks to Build World Pressure on Russia Over Space Nuclear Weapon

An anonymous reader shared this report from the New York Times:

American officials are trying to increase international pressure on Russia not to deploy an antisatellite nuclear weapon in space, and have obtained information that undermines Moscow’s explanation that the device it is developing is for peaceful scientific purposes, a senior State Department official said on Friday…

On Friday, Mallory Stewart, the assistant secretary of state for arms control, said that while the United States had been aware of Russia’s pursuit of such a device for years, “only recently have we been able to make a more precise assessment of their progress.” Ms. Stewart, speaking at the nonpartisan Center for Strategic and International Studies in Washington, said the orbit the Russian satellite would occupy is in a high-radiation region not used by other satellites, information that undercuts Russia’s defense that it is not developing a weapon.

Read more of this story at Slashdot.

AI-Powered ‘HorseGPT’ Fails to Predict This Year’s Kentucky Derby Winner

In 2016, an online “swarm intelligence” platform generated a correct prediction for the Kentucky Derby — naming all four top finishers, in order. (But the next year their predictions weren’t even close, with TechRepublic suggesting 2016’s race had an unusual cluster of just a few top racehorses.)

So this year Decrypt.co tried crafting their own system “that can be called up when the next Kentucky Derby draws near.
There are a variety of ways to enlist artificial intelligence in horse racing. You could process reams of data based on your own methodology, trust a third-party pre-trained model, or even build a bespoke solution from the ground up. We decided to build a GPT we named HorseGPT to crunch the numbers and make the picks for us…

We carefully curated prompts to instill HorseGPT with expertise in data science specific to horse racing: how weather affects times, the role of jockeys and riding styles, the importance of post positions, and so on. We then fed it a mix of research papers and blogs covering the theoretical aspects of wagering, and layered on practical knowledge: how to read racing forms, what the statistics mean, which factors are most predictive, expert betting strategies, and more. Finally, we gave HorseGPT a wealth of historical Kentucky Derby data, arming it with the raw information needed to put its freshly imparted skills to use.
We unleashed HorseGPT on official racing forms for this year’s Derby. We asked HorseGPT to carefully analyze each race’s form, identify the top contenders, and recommend wager types and strategies based on deep background knowledge derived from race statistics.

HorseGPT picked two horses to win — both of which failed to do so. (Sierra Leone did finish second — in a rare photo finish. But Fierceness finished… 15th.) It also recommended the same two horses if you were trying to pick the top two finishers in the correct order — a losing bet, since, again, Fierceness finished 15th.

But even worse, HorseGPT recommended betting on Just a Touch to finish in either first or second place. When the race was over, that horse finished dead last. (And when asked to pick the top three finishers in correct order, HorseGPT stuck with its choices for the top two — which finished #2 and #15 — and, again, Just a Touch, who came in last.)

When Google Gemini was asked to pick the winner by The Athletic, it first chose Catching Freedom (who finished 4th). But it then gave an entirely different answer when asked to predict the winner “with an Italian accent.”

“The winner of the Kentucky Derby will be… Just a Touch! Si, that’s-a right, the underdog! There will be much-a celebrating in the piazzas, thatta-a I guarantee!”

Again, Just a Touch came in last.

Decrypt noticed the same thing. “Interestingly enough, our HorseGPT AI agent and the other out-of-the-box chatbots seemed to agree with each other,” the site notes, “and with many experts analysts cited by the official Kentucky Derby website.”

But there was one glimmer of insight into the 20-horse race. When asked to choose the top four finishers in order, HorseGPT repeated those same losing picks — which finished #2, #15, and #20. But then it added two more underdogs for fourth place finishers, “based on their potential to outperform expectations under muddy conditions.”
One of those two horses — Domestic Product — finished in 13th place.

But the other of the two horses was Mystik Dan — who came in first.

Mystik Dan appeared in only one of the six “Top 10 Finishers” lists (created by humans) at the official Kentucky Derby site… in the #10 position.

Read more of this story at Slashdot.

Humans Now Share the Web Equally With Bots, Report Warns

An anonymous reader quotes a report from The Independent, published last month: Humans now share the web equally with bots, according to a major new report — as some fear that the internet is dying. In recent months, the so-called “dead internet theory” has gained new popularity. It suggests that much of the content online is in fact automatically generated, and that the number of humans on the web is dwindling in comparison with bot accounts. Now a new report from cyber security company Imperva suggests that it is increasingly becoming true. Nearly half, 49.6 per cent, of all internet traffic came from bots last year, its “Bad Bot Report” indicates. That is up 2 percent in comparison with last year, and is the highest number ever seen since the report began in 2013. In some countries, the picture is worse. In Ireland, 71 per cent of internet traffic is automated, it said.

Some of that rise is the result of the adoption of generative artificial intelligence and large language models. Companies that build those systems use bots scrape the internet and gather data that can then be used to train them. Some of those bots are becoming increasingly sophisticated, Imperva warned. More and more of them come from residential internet connections, which makes them look more legitimate. “Automated bots will soon surpass the proportion of internet traffic coming from humans, changing the way that organizations approach building and protecting their websites and applications,” said Nanhi Singh, general manager for application security at Imperva. “As more AI-enabled tools are introduced, bots will become omnipresent.”

Read more of this story at Slashdot.

Apple Announces Largest-Ever $110 Billion Share Buyback As iPhone Sales Drop

Apple reported fiscal second-quarter earnings that topped estimates, despite a 10% drop in iPhone sales. The company also announced that its board had authorized $110 billion in share repurchases, “a 22% increase over last year’s $90 billion authorization,” notes CNBC. “It’s the largest buyback in history, ahead of Apple’s previous repurchases.” From the report: Apple did not provide formal guidance, but Apple CEO Tim Cook told CNBC’s Steve Kovach that overall sales would grow in the “low single digits” during the June quarter. Apple posted $81.8 billion in revenue during the year-ago June quarter and LSEG analysts were looking for a forecast of $83.23 billion. On an earnings call with analysts, Apple finance chief Luca Maestri said the company expected the current quarter will deliver double-digit year-over-year percentage growth in iPad sales. What’s more, he said the Services division is forecast to continue growing at about the current high rate it’s achieved during the past two quarters.

Apple reported net income of $23.64 billion, or $1.53 per share, down 2% from $24.16 billion, or $1.52 per share, in the year-earlier period. Cook told CNBC that sales in the fiscal second quarter suffered from a difficult comparison to the year-earlier period, when the company realized $5 billion in delayed iPhone 14 sales from Covid-based supply issues. “If you remove that $5 billion from last year’s results, we would have grown this quarter on a year-over-year basis,” Cook said. “And so that’s how we look at it internally from how the company is performing.”

Apple said iPhone sales fell nearly 10% to $45.96 billion, suggesting weak demand for the current generation of smartphones, which were released in September. The sales were in line with analyst estimates, and Cook said that without last year’s increased sales, iPhone revenue would have been flat. Mac sales were up 4% to $7.45 billion, but they are still below the segment’s high-water mark set in 2022. Cook said sales were driven by the company’s new MacBook Air models which were released with an upgraded M3 chip in March. Other Products, which is how Apple reports sales of its Apple Watch and AirPods headphones, was down 10% year over year to $7.9 billion.

Read more of this story at Slashdot.

US Official Urges China, Russia To Declare AI Will Not Control Nuclear Weapons

Senior Department arms control official Paul Dean on Thursday urged China and Russia to declare that artificial intelligence would never make decisions on deploying nuclear weapons. Washington had made a “clear and strong commitment” that humans had total control over nuclear weapons, said Dean. Britain and France have made similar commitments. Reuters reports: “We would welcome a similar statement by China and the Russian Federation,” said Dean, principal deputy assistant secretary in the Bureau of Arms Control, Deterrence and Stability. “We think it is an extremely important norm of responsible behaviour and we think it is something that would be very welcome in a P5 context,” he said, referring to the five permanent members of the United Nations Security Council.

Read more of this story at Slashdot.