WordPress Plugin Hole Puts ‘2 Million Websites’ At Risk

A vulnerability in the “Advanced Custom Fields” plugin for WordPress is putting more than two million users at risk of cyberattacks, warns Patchstack researcher Rafie Muhammad. The Register reports: A warning from Patchstack about the flaw claimed there are more than two million active installs of the Advanced Custom Fields and Advanced Custom Fields Pro versions of the plugins, which are used to give site operators greater control of their content and data, such as edit screens and custom field data. Patchstack researcher Rafie Muhammad uncovered the vulnerability on February 5, and reported it to Advanced Custom Fields’ vendor Delicious Brains, which took over the software last year from developer Elliot Condon. On May 5, a month after a patched version of the plugins was released by Delicious Brains, Patchstack published details of the flaw. It’s recommended users update their plugin to at least version 6.1.6.

The flaw, tracked as CVE-2023-30777 and with a CVSS score of 6.1 out of 10 in severity, leaves sites vulnerable to reflected XSS attacks, which involve miscreants injecting malicious code into webpages. The code is then “reflected” back and executed within the browser of a visitor. Essentially, it allows someone to run JavaScript within another person’s view of a page, allowing the attacker to do things like steal information from the page, perform actions as the user, and so on. That’s a big problem if the visitor is a logged-in administrative user, as their account could be hijacked to take over the website.

“This vulnerability allows any unauthenticated user [to steal] sensitive information to, in this case, privilege escalation on the WordPress site by tricking the privileged user to visit the crafted URL path,” Patchstack wrote in its report. The outfit added that “this vulnerability could be triggered on a default installation or configuration of Advanced Custom Fields plugin. The XSS also could only be triggered from logged-in users that have access to the Advanced Custom Fields plugin.”

Read more of this story at Slashdot.

Yet Another Problem with Recycling: It Spews Microplastics

“An alarming new study has found that even when plastic makes it to a recycling center, it can still end up splintering into smaller bits that contaminate the air and water,” reports Wired:

This pilot study focused on a single new facility where plastics are sorted, shredded, and melted down into pellets. Along the way, the plastic is washed several times, sloughing off microplastic particles — fragments smaller than 5 millimeters — into the plant’s wastewater. Because there were multiple washes, the researchers could sample the water at four separate points along the production line. (They are not disclosing the identity of the facility’s operator, who cooperated with their project.) This plant was actually in the process of installing filters that could snag particles larger than 50 microns (a micron is a millionth of a meter), so the team was able to calculate the microplastic concentrations in raw versus filtered discharge water — basically a before-and-after snapshot of how effective filtration is.

Their microplastics tally was astronomical. Even with filtering, they calculate that the total discharge from the different washes could produce up to 75 billion particles per cubic meter of wastewater. Depending on the recycling facility, that liquid would ultimately get flushed into city water systems or the environment. In other words, recyclers trying to solve the plastics crisis may in fact be accidentally exacerbating the microplastics crisis, which is coating every corner of the environment with synthetic particles.

“It seems a bit backward, almost, that we do plastic recycling in order to protect the environment, and then end up increasing a different and potentially more harmful problem,” says plastics scientist Erina Brown, who led the research while at the University of Strathclyde.
“It raises some very serious concerns,” agrees Judith Enck, president of Beyond Plastics and a former US Environmental Protection Agency regional administrator, who wasn’t involved in the paper. “And I also think this points to the fact that plastics are fundamentally not sustainable.”

Wired ponts out that more than half the microplastics can be captured with a filtration system. “Without it, the researchers calculated that this single recycling facility could emit up to 6.5 million pounds of microplastic per year. Filtration got it down to an estimated 3 million pounds.”

But one of the paper’s co-authors shared their discouraging conclusion. “The recycling centers are potentially making things worse by actually creating microplastics faster and discharging them into both water and air. I’m not sure we can technologically engineer our way out of that problem.”

Read more of this story at Slashdot.

Why the Creator of Ruby on Rails Prefers Dynamic Typing

“I write all novel client-side code as JavaScript instead of TypeScript, and it’s a delight,” says the creator of Ruby on Rails. Posting on Twitter, David Heinemeier Hansson opined that TypeScript “sucked out much of the joy I had writing JavaScript. I’m forever grateful that Yukihiro ‘Matz’ Matsumoto didn’t succumb to the pressure of adding similar type hints to Ruby.”

When it comes to static vs dynamic typing, “I’ve heard a million arguments from both sides throughout my entire career,” Hansson wrote on his blog today, “but seen very few of them ever convinced anyone of anything.”
But wait — he thinks we can all get along:
Personally, I’m unashamedly a dynamic typing kind of guy. That’s why I love Ruby so very much. It takes full advantage of dynamic typing to allow the poetic syntax that results in such beautiful code. To me, Ruby with explicit, static typing would be like a salad with a scoop of ice cream. They just don’t go together.

I’ll also confess to having embraced the evangelical position for dynamic typing in the past. To the point of suffering from a One True Proposition affliction. Seeing the lack of enthusiasm for dynamic typing as a reflection of missing education, experience, or perhaps even competence.

Oh what folly. Like trying to convince an introvert that they’d really like parties if they’d just loosen up a bit…

These days, I’ve come to appreciate the magnificence of multiplicity. Programming would be an awful endeavor if we were all confined to the same paradigm. Human nature is much too varied to accept such constraint on its creativity…But it took a while for me to come to these conclusions. I’m a recovering solutionist. So when I see folks cross their heart in disbelief that anyone, anywhere might fancy JavaScript over TypeScript, I smile, and I remember the days when I’d recognize their zeal in the mirror.

Hansson also sees the “magnificence of multiplicity” in positions about functional vs object-oriented programming. “Poles on both these axes have shown to deliver excellent software over the decades (and awful stuff too!).”

Read more of this story at Slashdot.

Binance Temporarily Paused Bitcoin Transactions Over Network Congestion, Also Faces Government Scrutiny

CoinDesk reports that Binance “temporarily paused bitcoin withdrawals Sunday morning U.S. time as the Bitcoin blockchain became overwhelmed with pending transactions and sky-high fees.”
The company resumed withdrawals within two hours of its initial Twitter posting about the withdrawals.
On-chain data shows that there are nearly 400,000 unconfirmed Bitcoin transactions, which is higher than anything seen during the bull runs of 2018 and 2021. The average transaction fee has also doubled since March, pushing it to a two-year high. The current transaction fee is just over $8, a 309% change from a year ago.

In an earlier CoinDesk article, an executive at Luxor Technologies, a full-stack Bitcoin mining pool, blamed the rising fees on the adoption of the new BRC-20 token standard, a new way to “inscribe” additional data during transactions.

But meanwhile, an anonymous reader shared another report from Mashable about Binance:

Bloomberg reported that the crypto exchange (currently the world’s largest) is facing a U.S. Department of Justice probe over possibly allowing Russians to move money in a way that would violate U.S. sanctions… It’s worth noting that no formal accusation has been made against Binance, as this is just a probe. It may be some time before accusations manifest — if they manifest at all. In 2021, Binance was under a similar investigation related to possible money laundering.
But another Reuters article adds that Bloomberg’s sources “also said that Binance is discussing the possibility of settling with the Department of Justice regarding previous allegations that the exchange was also used to move money to circumvent U.S. sanctions against Iran.”
And elsewhere, Reuters reports:
Israel has seized around 190 crypto accounts at crypto exchange Binance since 2021 , including two it said were linked to Islamic State and dozens of others it said were owned by Palestinian firms connected to the Islamist Hamas group, documents released by the country’s counter-terror authorities show…
In a blog post after its publication, Binance said that Reuters was “deliberately leaving out critical facts.” The exchange has been “working closely with international counter-terrorism authorities” on the seizures, Binance said. “With regard to the specific organizations mentioned in the article, it’s important to clarify that bad actors don’t register accounts under the names of their criminal enterprises,” it said…
Under Israeli law, the country’s defense minister can order the seizure and confiscation of assets that the ministry deems related to terrorism… The seizures by Israel’s National Bureau for Counter Terror Financing highlight how governments are targeting crypto companies in their efforts to prevent illegal activity. Binance, founded in 2017 by CEO Changpeng Zhao, says on its website it reviews information requests from governments and law enforcement agencies on a case-by-case basis, disclosing information as legally required.

Binance has also said it checks users for connections to terrorism and has “continued to invest tremendous resources to enhance its compliance program,” it told U.S. senators in March in response to their requests for information on Binance’s regulatory compliance and finances.

Read more of this story at Slashdot.

Racehorse Owned by 391 Users of a Sports-Investment App Wins Kentucky Derby

This year’s Kentucky Derby was won by a 15-to-1 longshot named Mage, reports sports magazine the Athletic. It was only the horse’s third race — but the story gets even stranger:
Mage is owned by a collective of horse racing fans that doesn’t follow your standard ownership structure. Fans can purchase shares of a horse for as little as $50. It’s a publicly owned racehorse. Mage has 391 owners on the Commonwealth app. Many were at the 2023 Kentucky Derby wearing Mage hats and they were shown on NBC’s lead up to the Kentucky Derby.
The Commonwealth app even tried to arrange watch parties for the horse race across the country. Shareholders own 25% of the racehorse, reports Sporting News:

Although horses are the most common commodity, there are golfers on the app as well, specifically Joey Vrzich and Cooper Dossey, whom it says are “coming Spring 2023.” Commonwealth has a partnership with WinStar Farm, a premiere breeder of thoroughbreds… “Together we are going to revolutionize the ownership experience and give the world access to horses that were once unavailable to the public,” Brian Doxtator, CEO of Commonwealth said, per the collective’s website.

According to Action Network’s Darren Rovell, Commonwealth owners will be paid out $94.52 per share (prior to taxes) for the win.

Before the race the Athletic sports magazine asked seven experts for their picks — and only one of them had even mentioned Mage. (The Athletic’s senior sports betting editor correctly picked Mage and “Angel of Empire” to finish somewhere in the top three positions.) But just for fun, the Athletic also asked three AI chatbots — and none of them picked the winner:

Bing AI: That’s a tough question. I don’t have a personal preference, but based on the odds and the past performances, I think Forte has a good chance of winning. He has been very consistent and impressive in his races, and he has a top trainer and jockey. He also has a favorable post position at No. 14, which gives him some room to maneuver and avoid traffic. But as I said, anything can happen in the Kentucky Derby, and there are many other talented horses in the field. It will be an exciting race to watch.

Google Bard: I like the chances of Tapit Trice to win the 2023 Kentucky Derby. He is the second-lowest odds horse at 5-1, and has won twice and finished second twice in six career races. He has one of the best pedigrees a horse could ask for, being sired by Justify, the 2018 Triple Crown winner. He is also coming off an impressive showing in the 2023 Blue Grass Stakes, where he finished second just barely behind Verifying.
Here are some other horses that I like to finish in the money… The Kentucky Derby is always a tough race to predict, but I think these horses have a good chance of winning or finishing in the money. [Bard then listed five more of the 18 horses — one of which ultimately finished third.]

Chat GPT: As an artificial intelligence language model, I don’t have personal opinions or preferences. However, based on the current information I have, I cannot accurately predict the winner of the Kentucky Derby. Horse racing involves many variables, including the skill of the jockey, the health and performance of the horse, and even the weather conditions on race day. The outcome of any given race is always uncertain and subject to chance. It’s important to note that gambling can be risky, and I don’t encourage it.

Read more of this story at Slashdot.

Will Remote Working Lead Millennials to Buy Homes in Affordable Remote Suburbs?

An anonymous reader shared this report from Fortune:
For eight years now, as millennials have entered their thirties and forties, also known as “homebuying age,” Bank of America has surveyed over 1,000 members of the generation once a year for its Home Work series. And for 2023’s edition… older millennials (age 31-41) are almost three times as likely to move into a house than an apartment, the survey found…

Migration patterns during the pandemic have clearly established that most homebuyers have wanted to flee big cities, with some “zoomtowns” such as Boise benefiting in particular. But the survey reveals something even more drastic. In a section called “suburban nation,” BofA reveals that 43% to 45% of millennials — of every age — expect to buy a house in the suburbs. “We expect the ability to work from home to remain an incentive for young families to seek out more remote suburban and rural markets where housing may be more affordable,” wrote the BofA team led by research analyst Elizabeth Suzuki. And remote work is still robust, they added.

Millennials are also looking toward the suburbs for wealth-building. A majority (two-thirds) of them believe that they’ll buy a home in the next two years, citing a return on investment as the number one reason for purchasing. The interest is pervasive across the generation, and maybe means that the suburb is in for a new and better revival. And a 2021 study from Pew Research Center found that one in five adults preferred city life, compared to one quarter of adults in 2018…

Millennials reported to BoA that the pandemic increased their likelihood of buying a home…

Read more of this story at Slashdot.

Bill Gates Visits Planned Site of ‘Most Advanced Nuclear Facility in the World’

Friday Bill Gates visited Kemmerer, Wyoming (population: 2,656) — where a coal plant was shutting down after 50 years. But Gates was there “to celebrate the latest step in a project that’s been more than 15 years in the making: designing and building a next-generation nuclear power plant…”

The new plant will employ “between 200 and 250 people,” Gates writes in a blog post, “and those with experience in the coal plant will be able to do many of the jobs — such as operating a turbine and maintaining connections to the power grid — without much retraining.”

It’s called the Natrium plant, and it was designed by TerraPower, a company I started in 2008. When it opens (potentially in 2030), it will be the most advanced nuclear facility in the world, and it will be much safer and produce far less waste than conventional reactors.
All of this matters because the world needs to make a big bet on nuclear. As I wrote in my book How to Avoid a Climate Disaster , we need nuclear power if we’re going to meet the world’s growing need for energy while also eliminating carbon emissions. None of the other clean sources are as reliable, and none of the other reliable sources are as clean…

Another thing that sets TerraPower apart is its digital design process. Using supercomputers, they’ve digitally tested the Natrium design countless times, simulating every imaginable disaster, and it keeps holding up. TerraPower’s sophisticated work has drawn interest from around the globe, including an agreement to collaborate on nuclear power technology in Japan and investments from the South Korean conglomerate SK and the multinational steel company ArcelorMittal…

I’m excited about this project because of what it means for the future. It’s the kind of effort that will help America maintain its energy independence. And it will help our country remain a leader in energy innovation worldwide. The people of Kemmerer are at the forefront of the equitable transition to a clean, safe energy future, and it’s great to be partnering with them.

Gates writes that for safety the plant uses liquid sodium (instead of water) to absorb excess heat, and it even has an energy storage system “to control how much electricity it produces at any given time…”

“I’m convinced that the facility will be a win for the local economy, America’s energy independence, and the fight against climate change.

Read more of this story at Slashdot.