Rust-Written ‘Redox OS’ Now Has a Working Web Server

Why DARPA is Funding an AI-Powered Bug-Spotting Challenge

Somewhere in America’s Defense Department, the DARPA R&D agency is running a two-year contest to write an AI-powered program “that can scan millions of lines of open-source code, identify security flaws and fix them, all without human intervention,” reports the Washington Post. [Alternate URL here.]

But as they see it, “The contest is one of the clearest signs to date that the government sees flaws in open-source software as one of the country’s biggest security risks, and considers artificial intelligence vital to addressing it.”

Free open-source programs, such as the Linux operating system, help run everything from websites to power stations. The code isn’t inherently worse than what’s in proprietary programs from companies like Microsoft and Oracle, but there aren’t enough skilled engineers tasked with testing it. As a result, poorly maintained free code has been at the root of some of the most expensive cybersecurity breaches of all time, including the 2017 Equifax disaster that exposed the personal information of half of all Americans. The incident, which led to the largest-ever data breach settlement, cost the company more than $1 billion in improvements and penalties.

If people can’t keep up with all the code being woven into every industrial sector, DARPA hopes machines can. “The goal is having an end-to-end ‘cyber reasoning system’ that leverages large language models to find vulnerabilities, prove that they are vulnerabilities, and patch them,” explained one of the advising professors, Arizona State’s Yan Shoshitaishvili…. Some large open-source projects are run by near-Wikipedia-size armies of volunteers and are generally in good shape. Some have maintainers who are given grants by big corporate users that turn it into a job. And then there is everything else, including programs written as homework assignments by authors who barely remember them.

“Open source has always been ‘Use at your own risk,'” said Brian Behlendorf, who started the Open Source Security Foundation after decades of maintaining a pioneering free server software, Apache, and other projects at the Apache Software Foundation. “It’s not free as in speech, or even free as in beer,” he said. “It’s free as in puppy, and it needs care and feeding.”
40 teams entered the contest, according to the article — and seven received $1 million in funding to continue on to the next round, with the finalists to be announced at this year’s Def Con, according to the article.

“Under the terms of the DARPA contest, all finalists must release their programs as open source,” the article points out, “so that software vendors and consumers will be able to run them.”

Read more of this story at Slashdot.

Epic Games CEO Criticized For Calling Apple’s ‘Find My’ Feature ‘Super Creepy’

Slashdot reader Applehu Akbar shared this report from MacRumors:

Epic Games CEO Tim Sweeney commented on Apple’s ‘Find My’ service, referring to it as “super creepy surveillance tech” that “shouldn’t exist.” Sweeney went on to explain that several years ago, “a kid” stole a Mac laptop out of his car. Years later, Sweeney was checking Find My, and as the Mac was still connected to his Apple ID account, it showed him the location where the thief lived.

When someone asked Sweeney if he’d at least gotten his laptop back, Sweeney answered “No. I was creeped the hell out by having unexpectedly received the kid’s address, and turned off Find My iPhone on all of my devices.”

Slashdot reader crmarvin42 quipped “Tell me you are stupidly rich, without telling me you are stupidly rich… Next someone will be saying that it is ‘Creepy’ to have security footage of someone taking your Amazon packages off of your porch.” And they also questioned Sweeney’s sincerity, suggesting that he’s “just saying that to try and make Apple look bad because of all the lawsuits going on.”

MacRumors followed the ensuing discussion:
Sweeney said that the location of a device in someone’s possession can’t be tracked without tracking the person, and “people have a right to privacy.” [“This right applies to second hand device buyers and even to thieves.”] He claims that detection and recovery of a lost or stolen device should be “mediated by due process of law” and not exposed to the device owner “in vigilante fashion.”
Some responded to Sweeney’s comments by sharing the headline of a Vox news story about Epic’s own privacy polices. (“Fortnite maker Epic Games has to pay $520 million for tricking kids and violating their privacy.”)

MacRumors cited a 2014 report that thefts of iPhones dropped after the introduction of Apple’s “Activation Lock” feature (which prevents the disabling of ‘Find My’ without a password).

But when the blog AppleInsider accused Sweeney of “an incredibly bad leap of logic” — Sweeney responded. “You’re idealizing this issue as good guys tracking criminals to their lairs, but when Find My or Google’s similar tech points a device owner to a device possessor’s home, one must anticipate the presence of families and kids and innocent used device buyers, and ask whether it’s really appropriate for a platform to use GPS and shadowy mesh network tech to set up physical confrontations among individuals.”

Sweeney also posted a quote from Steve Jobs about how at Apple, “we worry that some 14-year-old is going to get stalked and something terrible is going to happen because of our phone.”

Read more of this story at Slashdot.

NFL to Roll Out Facial Authentication Software to All Stadiums, League-Wide

America’s National Football League “is the latest organization to turn to facial authentication to bolster event security,” reports the Record, citing a new announcement this week:

All 32 NFL stadiums will start using the technology this season, after the league signed a contract with a company that uses facial scans to verify the identity of people entering event venues and other secure spaces.

The facial authentication platform, which counts the Cleveland Browns’ owners as investors, will be used to “streamline and secure” entry for thousands of credentialed media, officials, staff and guests so they can easily access restricted areas such as press boxes and locker rooms, Jeff Boehm, the chief operating officer of Wicket, said in a LinkedIn post Monday. “Credential holders simply take a selfie before they come, and then Wicket verifies their identity and checks their credentials with Accredit (a credentialing platform) as they walk through security checkpoints,” Boehm added.

Wicket technology was deployed in a handful of NFL stadiums last year as part of a pilot program. Other stadiums will start rolling it out beginning on Aug. 8, when the pre-season kicks off. Some teams also have extended their use of the technology to scan the faces of ticket holders. The Cleveland Browns, Atlanta Falcons and New York Mets all have used the company’s facial authentication software to authenticate fans with tickets, according to Stadium Tech Report. “Fans come look at the tablet and, instantly, the tablet recognizes the fan,” Brandon Covert, the vice president of information technology for the Cleveland Browns, said in a testimonial appearing on Wicket’s website. “It’s almost a half-second stop. It’s not even a stop — more of a pause.”

“The Browns also use Wicket to verify the ages of fans purchasing alcohol at concession stands, according to Wicket’s LinkedIn page,” the article points out.

And a July report from Privacy International found that 25 of the top 100 soccer stadiums in the world are already using facial recognition technology.

Thanks to long-time Slashdot reader schwit1 for sharing the news.

Read more of this story at Slashdot.