Post-Quantum Encryption Algorithm KyberSlash Patched After Side-Channel Attack Discovered

jd (Slashdot reader #1,658) shared this story from BleepingComputer. The article notes that “Multiple implementations of the Kyber key encapsulation mechanism for quantum-safe encryption, are vulnerable to a set of flaws collectively referred to as KyberSlash, which could allow the recovery of secret keys.”

jd explains that Crystals-Kyber “was chosen to be the U.S. government’s post-quantum cryptography system of choice last year, but a side-channel attack has been identified. But in the article, NIST says that this is an implementation-specific attack (the reference implementation) and not a vulnerability in Kyber itself.”
From the article:
CRYSTALS-Kyber is the official implementation of the Kyber key encapsulation mechanism (KEM) for quantum-safe algorithm (QSA) and part of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) suite of algorithms. It is designed for general encryption… The KyberSlash flaws are timing-based attacks arising from how Kyber performs certain division operations in the decapsulation process, allowing attackers to analyze the execution time and derive secrets that could compromise the encryption. If a service implementing Kyber allows multiple operation requests towards the same key pair, an attacker can measure timing differences and gradually compute the secret key…

In a KyberSlash1 demo on a Raspberry Pi system, the researchers recovered Kyber’s secret key from decryption timings in two out of three attempts…
On December 30, KyberSlash2 was patched following its discovery and responsible reporting by Prasanna Ravi, a researcher at the Nanyang Technological University in Singapore, and Matthias Kannwischer, who works at the Quantum Safe Migration Center.

Read more of this story at Slashdot.

Android 15 Could Bring Widgets Back To the Lock Screen

After removing the feature with Android 5.0 in 2015, Google appears to be bringing back lock screen widgets in the next version of Android. “There haven’t been any indications since then that Google would ever bring this feature back,” notes Android Authority. “But after Apple introduced widgets to the iPhone lock screen in iOS 16, many speculated that it was only a matter of time.” From the report: As for how they might do that, there seem to be two different approaches that are being developed. The first one involves the creation of a new “communal” space — an area on the lock screen that might be accessed by swiping inward from the right. Although the communal space is still unfinished, I was able to activate it in the new Android 14 QPR2 Beta 3 update. Once I activated the communal space, a large gray bar appeared on the right side of the lock screen on my Pixel device. After swiping inward, a pencil icon appeared on the top left of the screen. Tapping this icon opened a widget selector that allowed me to add widgets from Google Calendar, Google Clock, and the Google App, but I wasn’t able to add widgets from most of my other apps. This is because the widget category needs to be set to KEYGUARD in order for it to appear in this selector. KEYGUARD is a category Google introduced in Android 4.2 Jelly Bean that very few apps utilize today since the lock screen hasn’t supported showing widgets in nearly a decade. After adding the widgets for Google Clock and Google Finance, I returned to the communal space by swiping inward from the right on the lock screen. The widgets were indeed shown in this space without me needing to unlock the device. However, the lock screen UI was shown on top of the widgets, making things difficult to see. Clearly, this feature is still a work in progress in the current beta. […]

While it’s possible this communal space won’t be coming to all devices, there’s another way that Google could bring widgets back to the lock screen for Android phones: leveraging At a Glance. If you aren’t familiar, Pixel phones have a widget on the home screen and lock screen called At a Glance. The interesting thing about At a Glance is that it isn’t actually a widget but rather a “custom element behaving like a widget,” according to developer Kieron Quinn. Under the hood, At a Glance is built on top of Smartspace, the API that is responsible for creating the various cards you can swipe through. Although Smartspace supports creating a variety of card types, it currently can’t handle RemoteViews, the API on which Android app widgets are built. That could change soon, though, as Google is working on including RemoteViews into the Smartspace API.

It’s unclear whether this will allow raw widgets from all apps to be included in At a Glance, since it’s also possible that Google is only implementing this so it has more freedom in building new cards. Either way, this new addition to the Smartspace API would supercharge the At a Glance widget in Android 15, and we’re excited to see what Google has in store for us.

Read more of this story at Slashdot.

Micron Displays Next-Gen LPCAMM2 Modules For Laptops At CES 2024

At CES 2024 this week, Micron demonstrated its next-gen LPCAMM2 memory modules based on LPDDR5X memory. Not only are they smaller and more powerful than traditional SODIMMs, they can be “serviced during the manufacturing process and upgraded by the user,” says Micron. Tom’s Hardware reports: Micron’s LPCAMM2 are industry-standard memory modules that will be available in 16 GB, 32 GB, and 64 GB capacities as well as with speed bins of up to a 9600 MT/s data transfer rate. These modules are designed to replace conventional SODIMMs as well as soldered-down LPDDR5X memory subsystem while offering the best of both worlds: flexibility, repairability, and upgradeability of modular memory solutions as well as high performance and low power consumption of mobile DRAM. Indeed, a Micron LPCAMM2 module is smaller than a traditional SODIMM despite the fact that it has a 128-bit memory interface and up to 64 GB of LPDDR5X memory onboard. Needless to say, the module is massively smaller than two SODIMM memory sticks that offer a 128-bit memory interface both in terms of height and in terms of physical footprint.

Read more of this story at Slashdot.

US Regulator Considers Stripping Boeing’s Right To Self-Inspect Planes

After a 737 Max door panel blew out over Portland, Oregon, last week, the Federal Aviation Administration ordered the temporary grounding of Boeing 737 Max 9 aircraft until emergency inspections were performed. “Alaska and United Airlines, which operate most of the Max 9s in use in the United States, said on Monday that they discovered loose hardware on the panel when conducting preliminary inspections on their planes,” reported the New York Times. Now, U.S. aviation regulators say they may strip Boeing of its right to conduct some of its aircraft inspections. The Financial Times reports: Mike Whitaker, FAA administrator, said the agency was “exploring” its options for using an independent third-party to oversee inspections of Boeing’s aircraft and its quality controls. “It is time to re-examine the delegation of authority and assess any associated safety risks,” he said. “The grounding of the 737-9 and the multiple production-related issues identifiedÂin recent years [at Boeing] require us to look at every option to reduce risk.”

The regulator also said it plans to immediately increase its oversight of Boeing’s production. The FAA opened an investigation on Thursday into whether the planes Boeing builds match the specifications it has laid out. The FAA said it will audit the 737 Max 9 production line and its suppliers “to evaluate Boeing’s compliance with its approved quality procedures,” with further audits conducted as necessary.

Washington Senator Maria Cantwell sent a letter (PDF) yesterday to the FAA questioning the agency’s role in inspecting aircraft manufactured by Boeing. Cantwell said she asked a year ago for an audit of certain areas related to Boeing’s production, and the regulator told her it was unnecessary. “Recent accidents and incidents — including the expelled door plug on Alaska Airlines flight 1282 — call into question Boeing’s quality control,” she said. “In short, it appears that FAA’s oversight processes have not been effective in ensuring that Boeing produces aeroplanes that are in condition for safe operation.”

Read more of this story at Slashdot.

SpaceX Sends First Text Messages Using Starlink Satellites

Just six days after being launched atop a Falcon 9 rocket, one of SpaceX’s six Starlink satellites was used to send text messages for the first time. Space.com reports: That update didn’t reveal what the first Starlink direct-to-cell text said. In a post on X on Wednesday, SpaceX founder and CEO Elon Musk said the message was “LFGMF2024,” but the chances are fairly high that he was joking. […] Beaming connectivity service from satellites directly to smartphones — which SpaceX is doing via a partnership with T-Mobile — is a difficult proposition, as SpaceX noted in Wednesday’s update.

“For example, in terrestrial networks cell towers are stationary, but in a satellite network they move at tens of thousands of miles per hour relative to users on Earth,” SpaceX wrote. “This requires seamless handoffs between satellites and accommodations for factors like Doppler shift and timing delays that challenge phone-to-space communications. Cell phones are also incredibly difficult to connect to satellites hundreds of kilometers away, given a mobile phone’s low antenna gain and transmit power.”

The direct-to-cell Starlink satellites overcome these challenges thanks to “innovative new custom silicon, phased-array antennas and advanced software algorithms,” SpaceX added. Overcoming tough challenges can lead to great rewards, and that’s the case here, according to SpaceX President Gwynne Shotwell. “Satellite connectivity direct to cell phones will have a tremendous impact around the world, helping people communicate wherever and whenever they want or need to,” Shotwell said via X on Wednesday.

Read more of this story at Slashdot.

X Announces Peer-To-Peer Payment Service Will Launch In 2024

SonicSpike shares a report from Forbes: X, the social media site formerly known as Twitter, announced it would begin rolling out a peer-to-peer payment service similar to Venmo or PayPal this year — a feature the social media site’s billionaire owner Elon Musk has long pushed as part of his plan to develop an “everything app.” X officially announced the new feature in a blog post, touting the new service designed to enhance “user utility and new opportunities for commerce.” The company did not give a timeframe on when the new service would be available, but Musk previously told Ark Invest CEO Cathie Wood it could launch as early as “mid-2024.”

According to the company, the new payment service will “showcas[e] the power of living more of your life in one place,” as owner Elon Musk continues to promote X as a future “everything app” capable of handling social media, video and other original content on the same site. X Payments has registered to do business in at least 32 states, according to public records, and has acquired a money transmitter license needed to process payments in 10, TechCrunch reported in December.

Read more of this story at Slashdot.

eBay To Pay $3 Million Penalty For Employees Sending Live Cockroaches, Fetal Pig To Bloggers

E-commerce giant eBay agreed to pay a $3 million penalty for the harassment and stalking of a Massachusetts couple by several of its employees. “The couple, Ina and David Steiner, had been subjected to threats and bizarre deliveries, including live spiders, cockroaches, a funeral wreath and a bloody pig mask in August 2019,” reports CBS News. From the report: Thursday’s fine comes after several eBay employees ran a harassment and intimidation campaign against the Steiners, who publish a news website focusing on players in the e-commerce industry. “eBay engaged in absolutely horrific, criminal conduct. The company’s employees and contractors involved in this campaign put the victims through pure hell, in a petrifying campaign aimed at silencing their reporting and protecting the eBay brand,” Levy said. “We left no stone unturned in our mission to hold accountable every individual who turned the victims’ world upside-down through a never-ending nightmare of menacing and criminal acts.”

The Justice Department criminally charged eBay with two counts of stalking through interstate travel, two counts of stalking through electronic communications services, one count of witness tampering and one count of obstruction of justice. The company agreed to pay $3 million as part of a deferred prosecution agreement. Under the agreement, eBay will be required to retain an independent corporate compliance monitor for three years, officials said, to “ensure that eBay’s senior leadership sets a tone that makes compliance with the law paramount, implements safeguards to prevent future criminal activity, and makes clear to every eBay employee that the idea of terrorizing innocent people and obstructing investigations will not be tolerated,” Levy said.

Former U.S. Attorney Andrew Lelling said the plan to target the Steiners, which he described as a “campaign of terror,” was hatched in April 2019 at eBay. Devin Wenig, eBay’s CEO at the time, shared a link to a post Ina Steiner had written about his annual pay. The company’s chief communications officer, Steve Wymer, responded: “We are going to crush this lady.” About a month later, Wenig texted: “Take her down.” Prosecutors said Wymer later texted eBay security director Jim Baugh. “I want to see ashes. As long as it takes. Whatever it takes,” Wymer wrote. Investigators said Baugh set up a meeting with security staff and dispatched a team to Boston, about 20 miles from where the Steiners live. “Senior executives at eBay were frustrated with the newsletter’s tone and content, and with the comments posted beneath the newsletter’s articles,” the Department of Justice wrote in its Thursday announcement. Two former eBay security executives were sentenced to prison over the incident.

Read more of this story at Slashdot.

Brave Search Can Now Deliver Results For Programming Queries

Brave has introduced CodeLLM, an AI-powered tool integrated into its search engine that offers results for programming queries. TechCrunch reports: The new AI-powered CodeLLM provides code snippets with step-by-step explanations and citations. CodeLLM is free and now integrated into Brave Search so users don’t have to switch apps to access it. CodeLLM is available to all Brave Search users on desktop and mobile. If Brave Search is your default search engine then all you need to do to access CodeLLM is start a search in your browser’s address bar. If Brave Search isn’t your default search engine, then you need to head to search.brave.com to conduct your search. “CodeLLM automatically detects programming-related queries, so there’s no need to generate a special search,” Brave explained in the blog post. “On top of the search results, if an answer is possible there will be a widget to trigger the CodeLLM response. The detection of programming queries happens outside of the LLM, by other search components (similar to the ones able to detect queries about the weather, queries that lend themselves well to be summarized, queries about stock prices, etc).”

Read more of this story at Slashdot.

Englishman Who Posed As HyperVerse CEO Says Sorry To Investors Who Lost Millions

Stephen Harrison, an Englishman living in Thailand who posed as chief executive Steven Reece Lewis for the launch of the HyperVerse crypto scheme, told the Guardian Australia that he was paid to play the role of chief executive but denies having ‘pocketed’ any of the money lost. He says he received 180,000 Thai baht (about $7,500) over nine months and a free suit, adding that he was “shocked” to learn the company had presented him as having fake credentials to promote the scheme. From the report: He said he felt sorry for those who had lost money in relation to the scheme — which he said he had no role in — an amount Chainalysis estimates at US$1.3 billion in 2022 alone. “I am sorry for these people,” he said. “Because they believed some idea with me at the forefront and believed in what I said, and God knows what these people have lost. And I do feel bad about this. “I do feel deeply sorry for these people, I really do. You know, it’s horrible for them. I just hope that there is some resolution. I know it’s hard to get the money back off these people or whatever, but I just hope there can be some justice served in all of this where they can get to the bottom of this.” He said he wanted to make clear he had “certainly not pocketed” any of the money lost by investors.

Harrison, who at the time was a freelance television presenter engaged in unpaid football commentary, said he had been approached and offered the HyperVerse work by a friend of a friend. He said he was new to the industry and had been open to picking up more work and experience as a corporate “presenter.” “I was told I was acting out a role to represent the business and many people do this,” Harrison said. He said he trusted his agent and accepted that. After reading through the scripts he said he was initially suspicious about the company he was hired to represent because he was unfamiliar with the crypto industry, but said he had been reassured by his agent that the company was legitimate. He said he had also done some of his own online research into the organization and found articles about the Australian blockchain entrepreneur and HyperTech chairman Sam Lee. “I went away and I actually looked at the company because I was concerned that it could be a scam,” Harrison said. “So I looked online a bit and everything seemed OK, so I rolled with it.” The HyperVerse crypto scheme was promoted by Lee and his business partner Ryan Xu, both of which were founders of the collapsed Australian bitcoin company Blockchain Global. “Blockchain Global owes creditors $58 million and its liquidator has referred Xu and Lee to the Australian Securities and Investments Commission for alleged possible breaches of the Corporations Act,” reports The Guardian. “Asic has said it does not intend to take action at this time.”

Rodney Burton, known as “Bitcoin Rodney,” was arrested and charged in the U.S on Monday for his alleged role in promoting the HyperVerse crypto scheme. The IRS alleges Burton was “part of a network that made ‘fraudulent’ presentations claiming high returns for investors based on crypto-mining operations that did not exist,” reports The Guardian.

Read more of this story at Slashdot.