OpenBSD 7.1 Released with Support for Apple M1, Improvements for ARM64 and RISC-V

“Everyone’s favorite security focused operating system, OpenBSD 7.1 has been released for a number of architectures,” writes long-time Slashdot reader ArchieBunker, “including Apple M1 chips.”

Phoronix calls it “the newest version of this popular, security-minded BSD operating system.”
With OpenBSD 7.1, the Apple Silicon support is now considered “ready for general use” with keypad/touchpad support for M1 laptops, a power management controller driver added, I2C and SPI controller drivers, and a variety of other driver additions for supporting the Apple Silicon hardware.
OpenBSD 7.1 also has a number of other improvements benefiting the 64-bit ARM (ARM64) and RISC-V architectures. OpenBSD 7.1 also brings SMP kernel improvements, support for futexes with shared anonymous memory, and more. On the graphics front there is updating the Linux DRM code against the state found in Linux 5.15.26 as well as now enabling Intel Elkhart Lake / Jasper Lake / Rocket Lake support.

The Register notes OpenBSD now “supports a surprisingly wide range of hardware: x86-32, x86-64, ARM7, Arm64, DEC Alpha, HP PA-RISC, Hitachi SH4, Motorola 88000, MIPS64, SPARC64, RISC-V 64, and both Apple PowerPC and IBM POWER.”
The Register’s FOSS desk ran up a copy in VirtualBox, and we were honestly surprised how quick and easy it was. By saying “yes” to everything, it automatically partitioned the VM’s disk into a rather complex array of nine slices, installed the OS, a boot loader, an X server and display manager, plus the FVWM window manager. After a reboot, we got a graphical login screen and then a rather late-1980s Motif-style desktop with an xterm.
It was easy to install XFCE, which let us set the screen resolution and other modern niceties, and there are also KDE, GNOME, and other pretty front-ends, plus plenty of familiar tools such as Mozilla apps, LibreOffice and so on….

We were expecting to have to do a lot more work. Yes, OpenBSD is a niche OS, but the project gave the world OpenSSH, LibreSSL, the PF firewall as used in macOS, much of Android’s Bionic C library, and more besides…. In a world of multi-gigabyte OSes, it’s quite refreshing. It felt like stepping back into the early 1990s, the era of Real Unix, when you had to put in some real effort and learn stuff in order to bend the OS to your will — but in return, you got something relatively bulletproof.

Read more of this story at Slashdot.

How US Billionaires Can Avoid Paying Income Taxes

On April 15th Americans filed their taxes with the Internal Revenue Service (or IRS). But on the same day ProPublica was reporting a difference between “the rich and the rest of us” — that their wealth just isn’t easily defined:

For one, wages make up only a small part of their earnings. And they have broad latitude in how they account for their businesses and investments. Their incomes aren’t defined by a tax form. Instead, they represent the triumph of careful planning by skilled professionals who strive to deliver the most-advantageous-yet-still-plausible answers to their clients. For them, a tax return is an opening bid to the IRS. It’s a kind of theory….

We counted at least 16 other billionaires (along with hundreds of other ultrawealthy people, including hedge fund managers and former CEOs) among the stimulus check recipients. This is just how our system works. It’s why, in 2011, Jeff Bezos, then worth $18 billion, qualified for $4,000 in refundable child tax credits. (Bezos didn’t respond to our questions.) A recent study by the Brookings Institution set out with a simple aim: to compare what owners of privately held businesses say they earn with the income that appears on the owners’ tax returns. The findings were stark: “More than half of economic income generated by closely held businesses does not appear on tax returns and that ratio has declined significantly over the past 25 years.”

That doesn’t mean business owners are illegally hiding income from the IRS, though it’s certainly a possible contributor. There are plenty of ways to make income vanish legally. Tax perks like depreciation allow owners to create tax losses even as they expand their businesses… “Losses” from one business can also be used to wipe out income from another. Sometimes spilling red ink can be lots of fun: For billionaires, owning sports teams and thoroughbred racehorses are exciting loss-makers. Congress larded the tax code with these sorts of provisions on the logic that what’s good for businesses is good for the economy. Often, the evidence for this broader effect is thin or nonexistent, but you can be sure all this is great for business owners. The Brookings study found that households worth $10 million or more benefited the most from being able to make income disappear….

In the tax system we have, billionaires who’d really rather not pay income taxes can usually find a way not to. They can bank their accumulating gains tax-free and deploy tax losses to wipe out whatever taxable income they might have. They can even look forward to a few thousand dollars here and there from the government to help them raise their kids or get through a national emergency.
This system also means it’s much harder to catch underreported income on the tax returns of the wealthy, the article points out. And with so many legal deducations, it’s also hard to prove the low incomes really exceed what the law allows. Even then, the wealthy can still hire an army of the best tax lawyers to make their case in court.

And now thousands of auditors have left the agency — and have not been replaced. The end result? “Audits of the wealthy have plummeted.

“Business owners have still more reason to be bold….”

Read more of this story at Slashdot.

American Phone-Tracking Firm Demo’d Surveillance Powers By Spying On CIA and NSA

Anomaly Six, a secretive government contractor, claims to monitor the movements of billions of phones around the world and unmask spies with the press of a button. Reader BeerFartMoron shares a report: In the months leading up to Russia’s invasion of Ukraine, two obscure American startups met to discuss a potential surveillance partnership that would merge the ability to track the movements of billions of people via their phones with a constant stream of data purchased directly from Twitter. According to Brendon Clark of Anomaly Six — or “A6” — the combination of its cellphone location-tracking technology with the social media surveillance provided by Zignal Labs would permit the U.S. government to effortlessly spy on Russian forces as they amassed along the Ukrainian border, or similarly track Chinese nuclear submarines. To prove that the technology worked, Clark pointed A6’s powers inward, spying on the National Security Agency and CIA, using their own cellphones against them.

Virginia-based Anomaly Six was founded in 2018 by two ex-military intelligence officers and maintains a public presence that is scant to the point of mysterious, its website disclosing nothing about what the firm actually does. But there’s a good chance that A6 knows an immense amount about you. The company is one of many that purchases vast reams of location data, tracking hundreds of millions of people around the world by exploiting a poorly understood fact: Countless common smartphone apps are constantly harvesting your location and relaying it to advertisers, typically without your knowledge or informed consent, relying on disclosures buried in the legalese of the sprawling terms of service that the companies involved count on you never reading.

Read more of this story at Slashdot.

Ebook Services Are Bringing Unhinged Conspiracy Books into Public Libraries

Librarians say Holocaust deniers, antivaxxers, and other conspiracy theorists are being featured in the catalogs of a popular ebook lending service. From a report: In February, a group of librarians in Massachusetts identified a number of Holocaust denial and anti-Semitic books on Hoopla, including titles like “Debating The Holocaust” and “A New Nobility of Blood and Soil” — the latter referring to the infamous Nazi slogan for nationalist racial purity. After public outcry from library and information professionals, Hoopla removed a handful of titles from its digital collection.

In an email obtained by the Library Freedom Project last month, Hoopla CEO Jeff Jankowski explained that the titles came from the company’s network of more than 18,000 publishers: “[The titles] were added within the most recent twelve months and, unfortunately, they made it through our protocols that include both human and system-driven reviews and screening.” However, quick Hoopla keyword searches for ebooks about “homosexuality” and “abortion” turn up dozens of top results that contain largely self-published religious texts categorized as “nonfiction,” including several titles like “Can Homosexuality Be Healed” which promote conversion therapy and anti-LGBTQ+ rhetoric. This prompted a group of librarians to start asking how these titles are appearing in public library catalogs and why they are ranked so high.

Read more of this story at Slashdot.

Binance Recovers Stolen, Disguised Crypto Loot From Mega Hack

More than a week after the U.S. tied one of the biggest heists in crypto to a North Korean hacking group, digital-asset exchange Binance said it was able to recover about $5.8 million worth of the stolen loot that had made its way onto its platform in disguised form. From a report: The details of how it achieved this serve as notice for those who attempt to cash out ill-gotten cryptocurrency gains: It may only get harder. The U.S. Treasury Department last week tied the North Korean hacking group Lazarus to the theft of more than $600 million in cryptocurrency from the Ronin software bridge, which is used by players of Axie Infinity to transfer crypto. The department identified an Ethereum wallet address tied to the group, adding it to its sanction list. Binance was able to trace stolen funds that were initially moved from the hackers’ wallet to Tornado Cash — a service that allows for anonymous token transfers on the Ethereum blockchain — and then to its exchange by working with external firms.

Read more of this story at Slashdot.

Brazil Judge Says Apple Selling iPhone Without Power Adapter Is ‘Abusive and Illegal’

Obama Says Social Media Falsehoods Spur Skepticism on Politics

Former U.S. President Barack Obama warned that the way Americans communicate on social media networks has weakened democracy. Bloomberg: Obama, who owns the podcasting and film company Higher Ground, warned that “citizens no longer know what to believe” thanks to false information spreading online. This is leading to political skepticism among citizens, he added. “The very design of these platforms is tilting us in the wrong direction,” he said Thursday during a conference at Stanford University’s Cyber Policy Center. Hate speech, vaccine misinformation and state-sponsored amplification of fake news are feeding people’s desire to read sensational content, the former president said. While Obama acknowledged that some of the most odious content, such as racism, white supremacy and conspiracy theories, existed “long before the first tweet was sent,” he argued that “solving the disinformation problem” on social media networks could help build trust and solidarity among citizens.

Read more of this story at Slashdot.

Microsoft Is Disabling SMB1 File-Sharing Protocol in Windows 11 Home

joshuark shares a report: Microsoft’s Windows 10 operating system already disables by default SMB (Server Message Block) version 1, the 30-year-old file-sharing protocol. Now the company is doing the same with Windows 11 Home Dev Channel test builds, announced officials on April 19. SMB1 is considered outdated and not secure. However, some users with very old equipment may be in for a surprise if their Windows 11 laptops can’t connect to an old networked hard drive, as officials said in a blog post about the SMB1 phase out plan. “There is no edition of Windows 11 Insider that has any part of SMB1 enabled by default anymore. At the next major release of Windows 11, that will be the default behavior as well,” said Ned Pyle, Principal Program Manager. “Like always, this doesn’t affect in-place upgrades of machines where you were already using SMB1. SMB1 is not gone here, an admin can still intentionally reinstall it,” Pyle added.

Read more of this story at Slashdot.

Hackers Can Infect Over 100 Lenovo Models With Unremovable Malware

Lenovo has released security updates for more than 100 laptop models to fix critical vulnerabilities that make it possible for advanced hackers to surreptitiously install malicious firmware that can be next to impossible to remove or, in some cases, to detect. Ars Technica reports: Three vulnerabilities affecting more than 1 million laptops can give hackers the ability to modify a computer’s UEFI. Short for Unified Extensible Firmware Interface, the UEFI is the software that bridges a computer’s device firmware with its operating system. As the first piece of software to run when virtually any modern machine is turned on, it’s the initial link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and even harder to remove.

Two of the vulnerabilities — tracked as CVE-2021-3971 and CVE-2021-3972 — reside in UEFI firmware drivers intended for use only during the manufacturing process of Lenovo consumer notebooks. Lenovo engineers inadvertently included the drivers in the production BIOS images without being properly deactivated. Hackers can exploit these buggy drivers to disable protections, including UEFI secure boot, BIOS control register bits, and protected range register, which are baked into the serial peripheral interface (SPI) and designed to prevent unauthorized changes to the firmware it runs. After discovering and analyzing the vulnerabilities, researchers from security firm ESET found a third vulnerability, CVE-2021-3970. It allows hackers to run malicious firmware when a machine is put into system management mode, a high-privilege operating mode typically used by hardware manufacturers for low-level system management. “All three of the Lenovo vulnerabilities discovered by ESET require local access, meaning that the attacker must already have control over the vulnerable machine with unfettered privileges,” notes Ars Technica’s Dan Goodin. “The bar for that kind of access is high and would likely require exploiting one or more critical other vulnerabilities elsewhere that would already put a user at considerable risk.”

Still, it’s worth looking to see if you have an affected model and, if so, patch your computer as soon as possible.

Read more of this story at Slashdot.