Lenovo Patches UEFI Code Execution Vulnerability Affecting More Than 70 Laptop Models

Lenovo has released a security advisory to inform customers that more than 70 of its laptops are affected by a UEFI/BIOS vulnerability that can lead to arbitrary code execution. SecurityWeek reports: Researchers at cybersecurity firm ESET discovered a total of three buffer overflow vulnerabilities that can allow an attacker with local privileges to affected Lenovo devices to execute arbitrary code. However, Lenovo says only one of the vulnerabilities (CVE-2022-1892) impacts all devices, while the other two impact only a handful of laptops. “The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features,” ESET explained. “These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call,” it added.

Lenovo has also informed customers about Retbleed, a new speculative execution attack impacting devices with Intel and AMD processors. The company has also issued an advisory for a couple of vulnerabilities affecting many products that use the XClarity Controller server management engine. These flaws can allow authenticated users to cause a DoS condition or make unauthorized connections to internal services.

Read more of this story at Slashdot.

Google Files a Lawsuit That Could Kick Tinder Out of the Play Store

Google has counter-sued Match seeking monetary damages and a judgement that would let it kick Tinder and the group’s other dating apps out of the Play Store, Bloomberg has reported. Engadget reports: Earlier this year, Match sued Google alleging antitrust violations over a decision requiring all Android developers to process “digital goods and services” payments through the Play Store billing system. Following the initial lawsuit in May, Google and Match reached a temporary agreement allowing Match to remain on the Play Store and use its own payments system. Google also agreed to make a “good faith” effort to address Match’s billing concerns. Match, in turn, was to make an effort to offer Google’s billing system as an alternative.

However, Google parent Alphabet claims that Match Group now wants to avoid paying “nothing at all” to Google, including its 15 to 30 percent Play Store fees, according to a court filing. “Match Group never intended to comply with the contractual terms to which it agreed… it would also place Match Group in an advantaged position relative to other app developers,” the document states. Match group said that Google’s Play Store policies violate federal and state laws. “Google doesn’t want anyone else to sue them so their counterclaims are designed as a warning shot,” Match told Bloomberg in a statement. “We are confident that our suit, alongside other developers, the US Department of Justice and 37 state attorneys general making similar claims, will be resolved in our favor early next year.”

Read more of this story at Slashdot.

Edits To a Cholesterol Gene Could Stop the Biggest Killer On Earth

A volunteer in New Zealand has become the first person to undergo DNA editing in order to lower their blood cholesterol, a step that may foreshadow wide use of the technology to prevent heart attacks. MIT Technology Review reports: The experiment, part of a clinical trial by the US biotechnology company Verve Therapeutics, involved injecting a version of the gene-editing tool CRISPR in order to modify a single letter of DNA in the patient’s liver cells. According to the company, that tiny edit should be enough to permanently lower a person’s levels of “bad” LDL cholesterol, the fatty molecule that causes arteries to clog and harden with time. The patient in New Zealand had an inherited risk for extra-high cholesterol and was already suffering from heart disease. However, the company believes the same technique could eventually be used on millions of people in order to prevent cardiovascular disease.

In New Zealand, where Verve’s clinical trial is taking place, doctors will give the gene treatment to 40 people who have an inherited form of high cholesterol known as familial hypercholesterolemia, or FH. People with FH can have cholesterol readings twice the average, even as children. Many learn they have a problem only when they get hit with a heart attack, often at a young age. The study also marks an early use of base editing, a novel adaptation of CRISPR that was first developed in 2016. Unlike traditional CRISPR, which cuts a gene, base editing substitutes a single letter of DNA for another.

The gene Verve is editing is called PCSK9. It has a big role in maintaining LDL levels and the company says its treatment will turn the gene off by introducing a one-letter misspelling. […] One reason Verve’s base-editing technique is moving fast is that the technology is substantially similar to mRNA vaccines for covid-19. Just like the vaccines, the treatment consists of genetic instructions wrapped in a nanoparticle, which ferries everything into a cell. While the vaccine instructs cells to make a component of the SARS-CoV-2 virus, the particles in Verve’s treatment carry RNA directions for a cell to assemble and aim a base-editing protein, which then modifies that cell’s copy of PCSK9, introducing the tiny mistake. In experiments on monkeys, Verve found that the treatment lowered bad cholesterol by 60%. The effect has lasted more than a year in the animals and could well be permanent. The report notes that the human experiment does carry some risk. “Nanoparticles are somewhat toxic, and there have been reports of side effects, like muscle pain, in people taking other drugs to lower PCSK9,” reports MIT Technology Review. “And whereas treatment with ordinary drugs can be discontinued if problems come up, there’s as yet no plan to undo gene editing once it’s performed.”

Read more of this story at Slashdot.

New Working Speculative Execution Attack Sends Intel and AMD Scrambling

Some microprocessors from Intel and AMD are vulnerable to a newly discovered speculative execution attack that can covertly leak password data and other sensitive material, sending both chipmakers scrambling once again to contain what is proving to be a stubbornly persistent vulnerability. Ars Technica reports: Researchers from ETH Zurich have named their attack Retbleed because it exploits a software defense known as retpoline, which was introduced in 2018 to mitigate the harmful effects of speculative execution attacks. Speculative execution attacks, also known as Spectre, exploit the fact that when modern CPUs encounter a direct or indirect instruction branch, they predict the address for the next instruction they’re about to receive and automatically execute it before the prediction is confirmed. Spectre works by tricking the CPU into executing an instruction that accesses sensitive data in memory that would normally be off-limits to a low-privileged application. Retbleed then extracts the data after the operation is canceled. […] The ETH Zurich researchers have conclusively shown that retpoline is insufficient for preventing speculative execution attacks. Their Retbleed proof-of-concept works against Intel CPUs with the Kaby Lake and Coffee Lake microarchitectures and AMD Zen 1, Zen 1+, and Zen 2 microarchitectures.

In response to the research, both Intel and AMD advised customers to adopt new mitigations that the researchers said will add as much as 28 percent more overhead to operations. […] Both Intel and AMD have responded with advisories. Intel has confirmed that the vulnerability exists on Skylake-generation processors that don’t have a protection known as enhanced Indirect Branch Restricted Speculation (eIBRS) in place. “Intel has worked with the Linux community and VMM vendors to provide customers with software mitigation guidance which should be available on or around today’s public disclosure date,” Intel wrote in a blog post. “Note that Windows systems are not affected given that these systems use Indirect Branch Restricted Speculation (IBRS) by default which is also the mitigation being made available to Linux users. Intel is not aware of this issue being exploited outside of a controlled lab environment.” AMD, meanwhile, has also published guidance. “As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD is recommending software suppliers consider taking additional steps to help guard against Spectre-like attacks,” a spokesman wrote in an email. The company has also published a whitepaper.

[Research Kaveh Razavi added:] “Retbleed is more than just a retpoline bypass on Intel, specially on AMD machines. AMD is in fact going to release a white paper introducing Branch Type Confusion based on Retbleed. Essentially, Retbleed is making AMD CPUs confuse return instructions with indirect branches. This makes exploitation of returns very trivial on AMD CPUs.” The mitigations will come at a cost that the researchers measured to be between 12 percent and 28 percent more computational overhead. Organizations that rely on affected CPUs should carefully read the publications from the researchers, Intel, and AMD and be sure to follow the mitigation guidance.

Read more of this story at Slashdot.

TikTok Hits Pause On Its Most Controversial Privacy Update Yet

Early last month, TikTok users across Europe were told that, starting July 13th, the platform would begin using their on-app data to serve up targeted ads, even if those users didn’t consent to the practice. Now, less than a day before that change would have rolled out European Union-wide, it looks like the company’s reconsidering things a bit. Gizmodo reports: A company spokesperson told TechCrunch on Tuesday that TikTok is “pausing” the update while it “engage[s] on the questions from stakeholders,” about the way it handles personalized ads. And needless to say, there are quite a lot of questions about that right now — from data protection authorities in the EU, from lawmakers in the US, and from privacy experts pretty much everywhere.

For context: until this point, European users that opened the TikTok app needed to offer express consent to let the company use their data for targeted ads. This update planned to do away with the need for that pesky consent by on a legal basis known as “legitimate interest” to target those ads instead. In a nutshell, the “legitimate interest” clause would let TikTok process people’s data, consent-free, if it was for a purpose that TikTok deemed reasonable. This means the company could say, for example, that because targeted ads bring in more money than their un-targeted equivalent, it would be reasonable to serve all users — consenting or otherwise — targeted ads. Reasonable, right?

Read more of this story at Slashdot.

Physicists Discover a ‘Family’ of Robust, Superconducting Graphene Structures

In 2018, MIT researchers found that if two graphene layers are stacked at a very specific “magic” angle, the twisted bilayer structure could exhibit robust superconductivity, a widely sought material state in which an electrical current can flow through with zero energy loss. Now the team reports that […] four and five graphene layers can be twisted and stacked at new magic angles to elicit robust superconductivity at low temperatures. Phys.Org reports: This latest discovery, published this week in Nature Materials, establishes the various twisted and stacked configurations of graphene as the first known “family” of multilayer magic-angle superconductors. The team also identified similarities and differences between graphene family members. The findings could serve as a blueprint for designing practical, room-temperature superconductors. If the properties among family members could be replicated in other, naturally conductive materials, they could be harnessed, for instance, to deliver electricity without dissipation or build magnetically levitating trains that run without friction.

In the current study, the team looked to level up the number of graphene layers. They fabricated two new structures, made from four and five graphene layers, respectively. Each structure is stacked alternately, similar to the shifted cheese sandwich of twisted trilayer graphene. The team kept the structures in a refrigerator below 1 kelvin (about -273 degrees Celsius), ran electrical current through each structure, and measured the output under various conditions, similar to tests for their bilayer and trilayer systems. Overall, they found that both four- and five-layer twisted graphene also exhibit robust superconductivity and a flat band. The structures also shared other similarities with their three-layer counterpart, such as their response under a magnetic field of varying strength, angle, and orientation.

These experiments showed that twisted graphene structures could be considered a new family, or class of common superconducting materials. The experiments also suggested there may be a black sheep in the family: The original twisted bilayer structure, while sharing key properties, also showed subtle differences from its siblings. For instance, the group’s previous experiments showed the structure’s superconductivity broke down under lower magnetic fields and was more uneven as the field rotated, compared to its multilayer siblings. The team carried out simulations of each structure type, seeking an explanation for the differences between family members. They concluded that the fact that twisted bilayer graphene’s superconductivity dies out under certain magnetic conditions is simply because all of its physical layers exist in a “nonmirrored” form within the structure. In other words, there are no two layers in the structure that are mirror opposites of each other, whereas graphene’s multilayer siblings exhibit some sort of mirror symmetry. These findings suggest that the mechanism driving electrons to flow in a robust superconductive state is the same across the twisted graphene family.

Read more of this story at Slashdot.

GameStop Launches NFT Marketplace

GameStop on Monday announced the long-awaited debut of its online marketplace for nonfungible tokens, or NFTs, in a bid to reinvent its business and cash in on consumer adoption of cryptocurrencies and blockchain technology. CNBC reports: The platform, which is now open to the public for beta testing, allows users to connect their own digital asset wallets, including the recently launched GameStop Wallet, the company said in a press release. They will then be able to buy, sell and trade NFTs of virtual goods. Over time, the marketplace will expand to offer other features such as Web3 gaming, GameStop said. “Currently, the marketplace plays host to an array of artwork projects that run on the Ethereum mainnet as well as Loopring, a layer-2 scaling solution,” adds Decrypt. “GameStop previously announced a partnership to use the Immutable X layer-2 scaling network, but the marketplace notes that Immutable X support is ‘coming soon.'”

“GameStop and Immutable X launched a $100 million token grant fund to bring game developers onto the marketplace. A press release notes that gaming NFTs will be added in the future.”

Further reading: Game Developer On ‘Why NFTs Are a Nightmare’

Read more of this story at Slashdot.

Xbox Series X Can Run Windows 98, Along With Classic PC Games of The Era

Alex Battaglia from the YouTube channel “Digital Foundry” was able to use the “RetroArch” software emulator to run Windows 98 on the Xbox Series X, along with several PC games of the era. “Technically, you’re supposed to be an Xbox developer to access this, and you will need to sign up to the paid Microsoft Partner program and turn on ‘Developer Mode’ for your system to activate it,” notes Pure Xbox. “In DF’s case, rather than directly playing emulated games through RetroArch, they used the program to install Windows 98 software.” From the report: Beyond the novelty of actually booting up Win98 on a modern console the channel then decided to test out some games, running through the older version of Windows. Playthroughs of Turok, Command & Conquer, Quake 2 and more were all pretty successful, although the act of loading them onto the software requires a bit of messing about (you have to create ISO files and transfer them over — sadly, Xbox’s disc drive can’t read the original discs). Of course, this wouldn’t be a Digital Foundry video without some performance comparisons, so the team did just that. The video compares hardware of the era with Xbox Series X’s emulation, and while the console often lags behind due to the fact that it’s literally emulating an entire version of Windows, and then a game on top of that, it fares pretty well overall. You can watch Digital Foundry’s video here.

Read more of this story at Slashdot.

What Makes Workers ‘Thrive’? Microsoft Study Suggests Shorter Workweeks and Less Collaboration

Microsoft describes “thriving” at work as being “energized and empowered to do meaningful work.”

So Microsoft’s “people analytics” chief and its “culture measurements” director teamed up for a report in Harvard Business Review exploring “as we enter the hybrid work era… how thriving can be unlocked across different work locations, professions, and ways of working.”

ZDNet columnist Chris Matyszczyk took special note of the researchers’ observation that “Employees who weren’t thriving talked about experiencing siloes, bureaucracy, and a lack of collaboration,” asking playfully, “Does that sound like Microsoft to you?”

Klinghoffer and McCune were undeterred in their search for the secret of happiness. They examined those who spoke most positively about thriving at work and work-life balance. They reached a startling picture of a happy Microsoft employee. They said: “By combining sentiment data with de-identified calendar and email metadata, we found that those with the best of both worlds had five fewer hours in their workweek span, five fewer collaboration hours, three more focus hours, and 17 fewer employees in their internal network size.”

Five fewer collaboration hours? 17 fewer employees in their internal network? Does this suggest that the teamwork mantra isn’t working so well? Does it, in fact, intimate that collaboration may have become a buzzword for a collective that is more a bureaucracy than a truly productive organism?

Klinghoffer and McCune say collaboration isn’t bad in itself. However, they say: “It is important to be mindful of how intense collaboration can impact work-life balance, and leaders and employees alike should guard against that intensity becoming 24/7.”

If you’re a leader, you have a way to stop it. If you’re an employee, not so much.

The Microsoft researchers’ conclusion? “Thriving takes a village” (highlighting the importance of managers), and that “the most common thread among those who were not thriving was a feeling of exclusion — from a lack of collaboration to feeling left out of decisions to struggling with politics and bureaucracy.”

Matyszczyk’s conclusion? “It’s heartening to learn, though, that perhaps the most important element to making an employee happy at work is giving them time to, well, actually work.”

Read more of this story at Slashdot.

‘I’m CEO of a Robotics Company, and I Believe AI’s Failed on Many Fronts’

“Aside from drawing photo-realistic images and holding seemingly sentient conversations, AI has failed on many promises,” writes the cofounder and CEO of Serve Robotics:
The resulting rise in AI skepticism leaves us with a choice: We can become too cynical and watch from the sidelines as winners emerge, or find a way to filter noise and identify commercial breakthroughs early to participate in a historic economic opportunity. There’s a simple framework for differentiating near-term reality from science fiction. We use the single most important measure of maturity in any technology: its ability to manage unforeseen events commonly known as edge cases. As a technology hardens, it becomes more adept at handling increasingly infrequent edge cases and, as a result, gradually unlocking new applications…

Here’s an important insight: Today’s AI can achieve very high performance if it is focused on either precision, or recall. In other words, it optimizes one at the expense of the other (i.e., fewer false positives in exchange for more false negatives, and vice versa). But when it comes to achieving high performance on both of those simultaneously, AI models struggle. Solving this remains the holy grail of AI….

Delivery Autonomous Mobile Robots (AMRs) are the first application of urban autonomy to commercialize, while robo-taxis still await an unattainable hi-fi AI performance. The rate of progress in this industry, as well as our experience over the past five years, has strengthened our view that the best way to commercialize AI is to focus on narrower applications enabled by lo-fi AI, and use human intervention to achieve hi-fi performance when needed. In this model, lo-fi AI leads to early commercialization, and incremental improvements afterwards help drive business KPIs.

By targeting more forgiving use cases, businesses can use lo-fi AI to achieve commercial success early, while maintaining a realistic view of the multi-year timeline for achieving hi-fi capabilities.
After all, sci-fi has no place in business planning.

Read more of this story at Slashdot.