CISA Director: We’ll Be Dealing With Log4j For a Long Time

Security professionals will be dealing with the fallout from the Log4j bug for a long time to come, top officials for the Cybersecurity and Infrastructure Security Agency said Monday. CNET reports: If left unpatched or otherwise unfixed, the major security flaw discovered a month ago in the Java-logging library Apache Log4j poses risks for huge swaths of the internet. The vulnerability in the widely used software could be exploited by cyberattackers to take over computer servers, potentially putting everything from consumer electronics to government and corporate systems at risk of a cyberattack. No US federal agencies have been compromised as a result of the vulnerability, CISA Director Jen Easterly told reporters on a call Monday. In addition, no major cyberattacks involving the bug have been reported in the US, though many attacks go unreported, she said.

Easterly said the sheer scope of the vulnerability, which affects tens of millions of internet-connected devices, makes it the worst she has seen in her career. It’s possible, she said, that attackers are biding their time, waiting for companies and others to lower their defenses before they attack. “We do expect Log4Shell to be used in intrusions well into the future,” Easterly said, using the name for the bug in the Log4j software. She noted the Equifax data breach in 2017, which compromised the personal information of nearly 150 million Americans, stemmed from a vulnerability in open-source software. Most of the attempts to exploit the bug, so far, have been focused on low-level crypto mining or attempts to draw devices into botnets, she said.

Read more of this story at Slashdot.

Green Texts In IMessages Nudges Teens To Use IPhones

Slashdot reader PolygamousRanchKid quotes a report from Apple Insider: Apple’s color-coding of SMS communications in green in iMessage plays a role alongside other feature in getting teenagers to switch from Android to iPhone, a report claims, with a pressure to fit in with their peers promoting moves to turn their messages blue. The use of green and blue to show whether a message to a user is made through iMessage or via other devices has become more than a simple convenience indicator for users. It’s also a form of status indicator, showing the user not only owns an iPhone, but can also make use of features on the platform that others cannot. In a profile of the color-indication system by the Wall Street Journal, teenagers and students explain how not having an iPhone and seeing green messages are seemingly a negative to them.
New York masters student Jocelyn Maher said she was mocked by her friends and younger sister when dating, if the potential suitor used Android. ‘I was like, Oh my gosh, his texts are green,’ and my sister literally went Ew, that’s gross,” said Maher.
Apple is apparently well aware that iMessage is a serious draw to its users, with it surfacing in the Epic-Apple trial as part of a series of claims it was used to lock users into its ecosystem. Epic pointed to statements by senior Apple management that the company had blocked the creation of an Android version of iMessage.

The Wall Street Journal headlined its piece, “Why Appleâ(TM)s iMessage Is Winning: Teens Dread the Green Text Bubble.”

Read more of this story at Slashdot.

Open Source Developer Intentionally Corrupts His Own Widely-Used Libraries

“Users of popular open-source libraries ‘colors’ and ‘faker’ were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking..” reports BleepingComputer.
“The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on ‘colors and ‘faker’.”

The colors library receives over 20 million weekly downloads on npm alone, and has almost 19,000 projects depending on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents….

Yesterday, users of popular open-source projects, such as Amazon’s Cloud Development Kit were left stunned on seeing their applications print gibberish messages on their console. These messages included the text ‘LIBERTY LIBERTY LIBERTY’ followed by a sequence of non-ASCII characters… The developer, named Marak Squires added a “new American flag module” to colors.js library yesterday in version v1.4.44-liberty-2 that he then pushed to GitHub and npm. The infinite loop introduced in the code will keep running indefinitely; printing the gibberish non-ASCII character sequence endlessly on the console for any applications that use ‘colors.’ Likewise, a sabotaged version ‘6.6.6’ of faker was published to GitHub and npm….

The reason behind this mischief on the developer’s part appears to be retaliation — against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community. In November 2020, Marak had warned that he will no longer be supporting the big corporations with his “free work” and that commercial entities should consider either forking the projects or compensating the dev with a yearly “six figure” salary….

Some dubbed this an instance of “yet another OSS developer going rogue,” whereas InfoSec expert VessOnSecurity called the action “irresponsible,” stating: “If you have problems with business using your free code for free, don’t publish free code. By sabotaging your own widely used stuff, you hurt not only big business but anyone using it. This trains people not to update, ‘coz stuff might break.”

GitHub has reportedly suspended the developer’s account. And, that too, has caused mixed reactions… “Removing your own code from [GitHub] is a violation of their Terms of Service? WTF? This is a kidnapping. We need to start decentralizing the hosting of free software source code,” responded software engineer Sergio Gómez.

“While it looks like color.js has been updated to a working version, faker.js still appears to be affected, but the issue can be worked around by downgrading to a previous version (5.5.3),” reports the Verge:

Even more curiously, the faker.js Readme file has also been changed to “What really happened with Aaron Swartz…?”

Squires’ bold move draws attention to the moral — and financial — dilemma of open-source development, which was likely the goal of his actions.

Read more of this story at Slashdot.

Amazon Joins Lockheed Martin and Cisco to Send Alexa to Space, Offers NASA Tours for SchoolKids

“Alexa, when are we arriving at the moon?” quips GeekWire.

Long-time Slashdot reader theodp writes:

This week brought news that Amazon is teaming up with Lockheed Martin and Cisco to put its Alexa voice assistant on NASA’s Orion spacecraft for the (uncrewed) Artemis 1 round-the-moon mission….

On the heels of that announcement came news that Amazon Future Engineer (AFE) has partnered with Mobile CSP and the National Science Teaching Association (NSTA) on the Alexa for Astronauts program, which will provide students in grades 4-and-up with live WebEx by Cisco tours from NASA’s Johnson Space Center. This program will also provide curriculum — NSTA’s Using AI to Monitor Health and Mobile CSP’s Alexa in Space — aimed at teaching high school Science and AP Computer Science Principles students “how to program their own Alexa skills that could help astronauts [and ‘inexperienced space travelers, such as tourists’] solve problems in space and communities at home” using MIT’s App Inventor.

App Inventor, some may recall, was developed at Google to bring programming to the masses only to be suddenly abandoned. App Inventor was later picked up by MIT and — with support from Google and millions in NSF funding — eventually found its way into curriculum developed for the new AP CSP course aimed at mainstreaming AP Computer Science.

Read more of this story at Slashdot.

New NFT Series Announced – By Cheech and Chong

Long-time Slashdot reader destinyland writes: Yes, it’s true. 83-year-old Tommy Chong and and 75-year-old Cheech Marin have reunited to create NFTs — a whole series of ’em — “bringing to life new characters and storylines,” according to an official announcement, “while simultaneously celebrating Cheech & Chong’s 50-plus year career of commercial and cultural success.”

The NFT series will be called “Homies in Dreamland.”

“As many know, I am deeply involved in the art community,” Cheech says in the announcement. “As an early believer, I am glad we are introducing an NFT project now, ushering in a new era of branding for the duo and the art community.”

And Tommy Chong calls NFTs “a new way for people to express themselves and reach out to others.

“Art is connecting with others and reaching the deeper parts of self. This can bring people from the NFT world into the world of Cheech and Chong, and together in the world of NFTs.”
Last month Cheech and Chong even announced an official Discord channel for their NFT series — where they’re also hosting movie and trivia nights. But “the holders of the NFT art collectible will gain access to a variety of utility, including future airdrops and special access/utility tokens randomly inserted throughout the collection.”

The NFT series will release sometime this month, according to the announcement, with artwork by Jermaine Rogers, known for his poster art for musical acts including David Bowie, Childish Gambino, Tool, Foo Fighters, Radiohead, and Run The Jewels…

Read more of this story at Slashdot.

Blood Test Could Help Detect Cancer Earlier In People With Nonspecific Symptoms

Slashdot reader eastlight_jim writes:

Scientists from the University of Oxford have today published a study in Clinical Cancer Research which shows that they can use a technique called NMR (nuclear magnetic resonance) metabolomics analysis to identify patients with cancer. Specifically, they identify patients with cancer from within a population of generally unwell patients with non-specific symptoms like fatigue and weigh-loss — a traditionally hard-to-diagnose cohort.

The technique works because the NMR identifies small molecules called metabolites in the blood of patients and this information can then be used by machine learning to recognise patterns of metabolites specific to cancer, as well as identifying patients whose cancer has already spread.

The Guardian reports:
If validated, the test could enable cancer patients to be identified earlier, when they are more likely to respond to treatment, and help flag up who could benefit from early access to drugs designed to tackle metastatic cancer.

The test can also tell if the disease has spread.

There is currently no clear route through which someone with nonspecific symptoms that could be cancer is referred for further investigation…. “The problem we’ve had in the past is that if they do have cancer, that cancer is growing all the time, and when they come back the cancers are often quite advanced,” said Dr James Larkin, of the University of Oxford, who was involved in the research. Although it is difficult to know precisely how many individuals fall into this category, “it is likely to be tens of thousands of patients across the UK,” Larkin said.

Read more of this story at Slashdot.