KeePass Disputes Vulnerability Allowing Stealthy Password Theft

The development team behind the open-source password management software KeePass is disputing what is described as a newly found vulnerability that allows attackers to stealthily export the entire database in plain text. BleepingComputer reports: KeePass is a very popular open-source password manager that allows you to manage your passwords using a locally stored database, rather than a cloud-hosted one, such as LastPass or Bitwarden. To secure these local databases, users can encrypt them using a master password so that malware or a threat actor can’t just steal the database and automatically gain access to the passwords stored within it. The new vulnerability is now tracked as CVE-2023-24055, and it enables threat actors with write access to a target’s system to alter the KeePass XML configuration file and inject a malicious trigger that would export the database, including all usernames and passwords in cleartext. The next time the target launches KeePass and enters the master password to open and decrypt the database, the export rule will be triggered, and the contents of the database will be saved to a file the attackers can later exfiltrate to a system under their control. However, this export process launches in the background without the user being notified or KeePass requesting the master password to be entered as confirmation before exporting, allowing the threat actor to quietly gain access to all of the stored passwords. […]

While the CERT teams of Netherlands and Belgium have also issued security advisories regarding CVE-2023-24055, the KeePass development team is arguing that this shouldn’t be classified as a vulnerability given that attackers with write access to a target’s device can also obtain the information contained within the KeePass database through other means. In fact, a “Security Issues” page on the KeePass Help Center has been describing the “Write Access to Configuration File” issue since at least April 2019 as “not really a security vulnerability of KeePass.” If the user has installed KeePass as a regular program and the attackers have write access, they can also “perform various kinds of attacks.” Threat actors can also replace the KeePass executable with malware if the user runs the portable version.

“In both cases, having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection),” the KeePass developers explain. “These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment.” If the KeePass devs don’t release a version of the app that addresses this issue, BleepingComputer notes “you could still secure your database by logging in as a system admin and creating an enforced configuration file.”

“This type of config file takes precedence over settings described in global and local configuration files, including new triggers added by malicious actors, thus mitigating the CVE-2023-24055 issue.”

Read more of this story at Slashdot.

Students Lost One-Third of a School Year To Pandemic, Study Finds

Children experienced learning deficits during the Covid pandemic that amounted to about one-third of a school year’s worth of knowledge and skills, according to a new global analysis, and had not recovered from those losses more than two years later. The New York Times reports: Learning delays and regressions were most severe in developing countries and among students from low-income backgrounds, researchers said, worsening existing disparities and threatening to follow children into higher education and the work force. The analysis, published Monday in the journal Nature Human Behavior and drawing on data from 15 countries, provided the most comprehensive account to date of the academic hardships wrought by the pandemic. The findings suggest that the challenges of remote learning — coupled with other stressors that plagued children and families throughout the pandemic — were not rectified when school doors reopened.

“In order to recover what was lost, we have to be doing more than just getting back to normal,” said Bastian Betthauser, a researcher at the Center for Research on Social Inequalities at Sciences Po in Paris, who was a co-author on the review. He urged officials worldwide to provide intensive summer programs and tutoring initiatives that target poorer students who fell furthest behind. Thomas Kane, the faculty director of the Center for Education Policy Research at Harvard, who has studied school interruptions in the United States, reviewed the global analysis. Without immediate and aggressive intervention, he said, “learning loss will be the longest-lasting and most inequitable legacy of the pandemic.”

[…] Because children have a finite capacity to absorb new material, Mr. Betthauser said, teachers cannot simply move faster or extend school hours, and traditional interventions like private tutoring rarely target the most disadvantaged groups. Without creative solutions, he said, the labor market ought to “brace for serious downstream effects.” Children who were in school during the pandemic could lose about $70,000 in earnings over their lifetimes if the deficits aren’t recovered, according to Eric Hanushek, an economist at the Hoover Institution at Stanford. In some states, pandemic-era students could ultimately earn almost 10 percent less than those who were educated just before the pandemic. The societal losses, he said, could amount to $28 trillion over the rest of the century.

Read more of this story at Slashdot.

Classic Videogame ‘Goldeneye 007’ Finally Comes to Nintendo Switch and Xbox

The classic 1997 vidoegame GoldenEye 007 “has finally landed on Xbox and Nintendo Switch,” writes the Verge:
On Xbox, the remaster includes 4K resolution, smoother frame rates, and split-screen local multiplayer, similar to a 2008-era bound-for-Xbox 360 version that was canceled amid licensing and rights issues but leaked out in 2021.
Meanwhile CNET describes the Switch version:
You’ll need to be subscribed to Switch Online’s $50-a-year Expansion Pack tier to access GoldenEye and other N64 games. Online multiplayer is exclusive to the Switch release, the official 007 website noted, but this version is otherwise the same as the N64 original.
But “No high-def for them,” adds Esquire:
GoldenEye 007 marks a rare case in gaming history, where the title never left the gamer zeitgeist. It has been talked about, wished over, remade, and totally Frankensteined in the modding and emulation community….

Rare, a favorite game studio of mine — its crew is responsible for many of my childhood memories, making Banjo Kazzoie, Donkey Kong Country, Perfect Dark, Conker’s Bad Fur Day, and so many more — was always a Nintendo sweetheart. Until it was acquired back in 2002 by Microsoft. While Rare didn’t pump out as many massive hits after the acquisition, the studio is responsible for one of my favorite games, Sea of Thieves. But arguably no game from those folks made more of a splash than Goldeneye.

CNN reports:
Based on the 1995 film “GoldenEye,” the game follows a block-like version of Pierce Brosnan’s 007 as he shoots his way through various locales, all while a synthy version of the signature Bond theme plays….

The return of “GoldenEye 007,” often referred to as one of the greatest video games of all time, has been years in the making. The Verge reported last year that rights issues blocked developers from releasing it on newer consoles, including Xbox, since at least 2008. Undeterred N64 fans even attempted to remake the game themselves on several occasions, though the original rights holders usually shut them down.

Modern players “may not realise how many of the features we now take for granted in shooters were inspired by this one game,” writes the Guardian. “The game that would introduce a lot of players to the concept of using an analogue stick to look around in a 3D game — it’s difficult to overstate how important that was.”

But it was the multiplayer mode that really counted. Four players, one screen, an array of locations and weapons, and all the characters from the single-player campaign…. We would usually play in Normal mode, but as the hours dragged on and the sunlight began to creep in behind the blinds, we’d switch to Slaps Only, in which players could only get kills by slapping each other to death….

It is interesting how fables around the game and its development have survived — and still intrigue. The fact that it is officially cheating to play as Oddjob in multiplayer mode; the brilliance of the pause music, which has been heavily memed on TikTok, and how it was written in just 20 minutes by Rare newcomer Grant Kirkhope. The fact that Nintendo legend and Mario creator Shigeru Miyamoto was so concerned by the death in the game that he suggested a post-credit sequence where James Bond went to a hospital to meet all the enemy soldiers he “injured”. I think the sign of a truly great game — like any work of art — is how many legends become attached to its making.
It is lovely now, to see the game getting a release on Nintendo Switch and Xbox Game Pass.

Read more of this story at Slashdot.

D&D Won’t Change Its Original 1.0 OGL License, Reference Document Enters Creative Commons

An anonymous reader shares a report from PC Gamer:

In a blog post published Friday, Wizards of the Coast announced that it is fully putting the kibosh on the proposed Open Gaming License (OGL) 1.2 that threw the tabletop RPG community into disarray at the beginning of this month.

Instead, Wizards will leave the previously enshrined OGL 1.0 in place, while also putting the latest D&D Systems Reference Document (SRD 5.1) under a Creative Commons License (thanks to GamesRadar for the spot).

The original OGL was put in place with the third edition of D&D in 2000, and allowed other companies and creators to base their work off D&D and the d20 system without payment to or oversight from Wizards. A draft of a revised OGL 1.1 leaked early in January, which proposed royalty payments and creative control by Wizards over derivative works. This immediately incited a backlash from fans. Wizards backpedaled, introducing a softer OGL 1.2 that would still replace the original, and opened the community survey cited in today’s announcement.

With 15,000 respondents in, the results of the survey were pretty damning. 88% didn’t “want to publish TTRPG content under OGL 1.2,” while 89% were “dissatisfied with deauthorizing OGL 1.0a.” 62% were happy that Wizards would put prior SRD versions under Creative Commons, with most of the dissenters wanting more Creative Commons-protected content.

In response, Wizards of the Coast caved.

“We welcome today’s news from Wizards of the Coast regarding their intention not to de-authorize OGL 1.0a,” tweeted Pathfinder publisher Paizo, who’d launched an effort to move the industry away from WotC’s OGL. But “We still believe there is a powerful need for an irrevocable, perpetual independent system-neutral open license that will serve the tabletop community via nonprofit stewardship.

“Work on the ORC license will continue, with an expected first draft to release for comment to participating publishers in February.”

Read more of this story at Slashdot.

US and EU To Launch First-Of-Its-Kind AI Agreement

The United States and European Union on Friday announced an agreement to speed up and enhance the use of artificial intelligence to improve agriculture, healthcare, emergency response, climate forecasting and the electric grid. Reuters reports: A senior U.S. administration official, discussing the initiative shortly before the official announcement, called it the first sweeping AI agreement between the United States and Europe. Previously, agreements on the issue had been limited to specific areas such as enhancing privacy, the official said. AI modeling, which refers to machine-learning algorithms that use data to make logical decisions, could be used to improve the speed and efficiency of government operations and services.

“The magic here is in building joint models (while) leaving data where it is,” the senior administration official said. “The U.S. data stays in the U.S. and European data stays there, but we can build a model that talks to the European and the U.S. data because the more data and the more diverse data, the better the model.” The initiative will give governments greater access to more detailed and data-rich AI models, leading to more efficient emergency responses and electric grid management, and other benefits, the administration official said. The partnership is currently between just the White House and the European Commission, the executive arm of the 27-member European Union. The senior administration official said other countries will be invited to join in the coming months.

Read more of this story at Slashdot.

PagerDuty CEO Quotes MLK Jr. In Worst Layoff Email Ever

Jody Serrano writes via Gizmodo: In a 1,669-word email to employees, [PagerDuty CEO Jennifer Tejada] echoed the script many tech CEOs have recited in recent months, stating that today’s “volatile economy requires additional transformation” by the company. As a result, PagerDuty would be “refining” its operating model by cutting about 7% of its staff globally. That wasn’t the only “refinement” the company would undertake, though. According to Tejada, PagerDuty will reduce its discretionary spend, negotiate “more favorable commercial agreements with key vendors,” and “rationalize [its] real estate footprint.” Up to this point, Tejada’s email, while overly complex, weird, and tone deaf, still was not that bad. She goes on to acknowledge employees and their contributions to PagerDuty and announces a decent severance pay of 11 weeks, with extended healthcare coverage and job support.
Nonetheless, it all starts to go downhill when she decides to use the same email where she announces layoffs to celebrate recent employee promotions, reveal good financial results for the fourth quarter of last year, and state that the company expects to end the year strong. As if she couldn’t do so in another email where people weren’t told they were possibly losing their jobs. “We expect to finish the year strong — in fact, we have reaffirmed our guidance for FY23 today — and those results, combined with the refinements outlined above, put PagerDuty in a position of strength to successfully execute on our platform strategy regardless of what the market and the macroenvironment bring,” Tejada said.

While it’s clearly a CEO’s job to cheer on their company, Tejada makes things sound so good that it’s perplexing to think the company has to lay off any people to begin with. Alas, the PagerDuty CEO was not done sticking her foot in her mouth and ended her note with a reference a quote from King’s sermons published in The Measure of a Man in 1959. She used brackets to change the quote slightly to accommodate her message. “I am reminded in moments like this, of something Martin Luther King said, that ‘the ultimate measure of a [leader] is not where [they] stand in the moments of comfort and convenience, but where [they] stand in times of challenge and controversy,'” Tejada said. “It doesn’t seem to have been written with ill intent, but rather with the goal to save time (by announcing layoffs, promotions, and predictions for a solid year) and save face (by refusing to say the word layoffs),” adds Serrano. “In these difficult situations, though, it’s just better to be upfront.”

Read more of this story at Slashdot.

US Says It ‘Hacked the Hackers’ To Bring Down Hive Ransomware Gang

The FBI revealed today that it had shut down the prolific ransomware gang called Hive, “a maneuver that allowed the bureau to thwart the group from collecting more than $130 million in ransomware demands from more than 300 victims,” reports Reuters. Slashdot readers wiredmikey and unimind shared the news. From the report: At a news conference, U.S. Attorney General Merrick Garland, FBI Director Christopher Wray, and Deputy U.S. Attorney General Lisa Monaco said government hackers broke into Hive’s network and put the gang under surveillance, surreptitiously stealing the digital keys the group used to unlock victim organizations’ data. They were then able to alert victims in advance so they could take steps to protect their systems before Hive demanded the payments. “Using lawful means, we hacked the hackers,” Monaco told reporters. “We turned the tables on Hive.”

News of the takedown first leaked on Thursday morning when Hive’s website was replaced with a flashing message that said: “The Federal Bureau of Investigation seized this site as part of coordinated law enforcement action taken against Hive Ransomware.” Hive’s servers were also seized by the German Federal Criminal Police and the Dutch National High Tech Crime Unit. The undercover infiltration, which started in July 2022, went undetected by the gang until now.

The Justice Department said that over the years, Hive has targeted more than 1,500 victims in 80 different countries, and has collected more than $100 million in ransomware payments. Although there were no arrests announced on Wednesday, Garland said the investigation was ongoing and one department official told reporters to “stay tuned.”

Read more of this story at Slashdot.