New ‘GoFetch’ Apple CPU Attack Exposes Crypto Keys

“There is a new side channel attack against Apple ‘M’ series CPUs that does not appear to be fixable without a major performance hit,” writes Slashdot reader EncryptedSoldier. SecurityWeek reports: A team of researchers representing several universities in the United States has disclosed the details of a new side-channel attack method that can be used to extract secret encryption keys from systems powered by Apple CPUs. The attack method, dubbed GoFetch, has been described as a microarchitectural side-channel attack that allows the extraction of secret keys from constant-time cryptographic implementations. These types of attacks require local access to the targeted system. The attack targets a hardware optimization named data memory-dependent prefetcher (DMP), which attempts to prefetch addresses found in the contents of program memory to improve performance.

The researchers have found a way to use specially crafted cryptographic operation inputs that allow them to infer secret keys, guessing them bits at a time by monitoring the behavior of the DMP. They managed to demonstrate end-to-end key extraction attacks against several crypto implementations, including OpenSSL Diffie-Hellman Key Exchange, Go RSA, and the post-quantum CRYSTALS-Kyber and CRYSTALS-Dilithium. The researchers have conducted successful GoFetch attacks against systems powered by Apple M1 processors, and they have found evidence that the attack could also work against M2 and M3 processors. They have also tested an Intel processor that uses DMP, but found that it’s ‘more robust’ against such attacks.

The experts said Apple is investigating the issue, but fully addressing it does not seem trivial. The researchers have proposed several countermeasures, but they involve hardware changes that are not easy to implement or mitigations that can have a significant impact on performance. Apple told SecurityWeek that it thanks the researchers for their collaboration as this work advances the company’s understanding of these types of threats. The tech giant also shared a link to a developer page that outlines one of the mitigations mentioned by the researchers. The researchers have published a paper (PDF) detailing their work.

Ars Technica’s Dan Goodin also reported on the vulnerability.

Read more of this story at Slashdot.

Database For UK Nurse Registration ‘Completely Unacceptable’

Lindsay Clark reports via The Register: The UK Information Commissioner’s Office has received a complaint detailing the mismanagement of personal data at the Nursing and Midwifery Council (NMC), the regulator that oversees worker registration. Employment as a nurse or midwife depends on enrollment with the NMC in the UK. According to whistleblower evidence seen by The Register, the databases on which the personal information is held lack rudimentary technical standards and practices. The NMC said its data was secure with a high level of quality, allowing it to fulfill its regulatory role, although it was on “a journey of improvement.” But without basic documentation, or the primary keys or foreign keys common in database management, the Microsoft SQL Server databases — holding information about 800,000 registered professionals — are difficult to query and manage, making assurances on governance nearly impossible, the whistleblower told us.

The databases have no version control systems. Important fields for identifying individuals were used inconsistently — for example, containing junk data, test data, or null data. Although the tech team used workarounds to compensate for the lack of basic technical standards, they were ad hoc and known by only a handful of individuals, creating business continuity risks should they leave the organization, according to the whistleblower. Despite having been warned of the issues of basic technical practice internally, the NMC failed to acknowledge the problems. Only after exhausting other avenues did the whistleblower raise concern externally with the ICO and The Register. The NMC stores sensitive data on behalf of the professionals that it registers, including gender, sexual orientation, gender identity, ethnicity and nationality, disability details, marital status, as well as other personal information.

The whistleblower’s complaint claims the NMC falls well short of [the standards required under current UK law for data protection and the EU’s General Data Protection Regulation (GDPR)]. The statement alleges that the NMC’s “data management and data retrieval practices were completely unacceptable.” “There is not even much by way of internal structure of the databases for self-documentation, such as primary keys, foreign keys (with a few honorable exceptions), check constraints and table constraints. Even fields that should not be null are nullable. This is frankly astonishing and not the practice of a mature, professional organization,” the statement says. For example, the databases contain a unique ten-digit number (or PRN) to identify individuals registered to the NMC. However, the fields for PRNs sometimes contain individuals’ names, start with a letter or other invalid data, or are simply null. The whistleblower’s complaint says that the PRN problem, and other database design deficiencies, meant that it was nearly impossible to produce “accurate, correct, business critical reports … because frankly no one knows where the correct data is to be found.” A spokesperson for the NMC said the register was “organized and documented” in the SQL Server database. “For clarity, the register of all our nurses, midwives and nursing practitioners is held within Dynamics 365 which is our system of record. This solution and the data held within it, is secure and well documented. It does not rely on any SQL database. The SQL database referenced by the whistleblower relates to our data warehouse which we are in the process of modernizing as previously shared.”

Read more of this story at Slashdot.

Users Shocked To Find Instagram Limits Political Content By Default

Instagram has been limiting recommended political content by default without notifying users. Ars Technica reports: Instead, Instagram rolled out the change in February, announcing in a blog that the platform doesn’t “want to proactively recommend political content from accounts you don’t follow.” That post confirmed that Meta “won’t proactively recommend content about politics on recommendation surfaces across Instagram and Threads,” so that those platforms can remain “a great experience for everyone.” “This change does not impact posts from accounts people choose to follow; it impacts what the system recommends, and people can control if they want more,” Meta’s spokesperson Dani Lever told Ars. “We have been working for years to show people less political content based on what they told us they want, and what posts they told us are political.”

To change the setting, users can navigate to Instagram’s menu for “settings and activity” in their profiles, where they can update their “content preferences.” On this menu, “political content” is the last item under a list of “suggested content” controls that allow users to set preferences for what content is recommended in their feeds. There are currently two options for controlling what political content users see. Choosing “don’t limit” means “you might see more political or social topics in your suggested content,” the app says. By default, all users are set to “limit,” which means “you might see less political or social topics.” “This affects suggestions in Explore, Reels, Feed, Recommendations, and Suggested Users,” Instagram’s settings menu explains. “It does not affect content from accounts you follow. This setting also applies to Threads.” “Did [y’all] know Instagram was actively limiting the reach of political content like this?!” an X user named Olayemi Olurin wrote in an X post. “I had no idea ’til I saw this comment and I checked my settings and sho nuff political content was limited.”

“This is actually kinda wild that Instagram defaults everyone to this,” another user wrote. “Obviously political content is toxic but during an election season it’s a little weird to just hide it from everyone?”

Read more of this story at Slashdot.

Windows 11 Notepad Finally Gets Spellcheck and Autocorrect

Microsoft today announced a preview release of Windows Notepad, with built-in spellchecking and an autocorrect feature. BleepingComputer reports: Microsoft says they are rolling out this preview to Insiders in the Windows 11 Canary and Dev channels, but it may take some time before it’s available for everyone. “With this update, Notepad will now highlight misspelled words and provide suggestions so that you can easily identify and correct mistakes,” reads Microsoft’s announcement. “We are also introducing autocorrect which seamlessly fixes common typing mistakes as you type.”

Once installed, Notepad will now show a red squiggly line under misspelled words that, when clicked, shows suggestions on the correct spelling. It’s also possible to ignore words in a single text document or add them to the global dictionary so they are not shown in the future.

Microsoft says that this feature will be turned off for log and source code files. This is because it’s common for non-standard words to be used in these files, triggering multiple spellcheck errors. Users can control this setting globally or for specific file types in the Notepad app’s settings. The autocorrect feature is a bit more seamless, automatically making small changes to grammar and punctuation as you type.

Read more of this story at Slashdot.

Redis To Adopt ‘Source-Available Licensing’ Starting With Next Version

Longtime Slashdot reader jgulla shares an announcement from Redis: Beginning today, all future versions of Redis will be released with source-available licenses. Starting with Redis 7.4, Redis will be dual-licensed under the Redis Source Available License (RSALv2) and Server Side Public License (SSPLv1). Consequently, Redis will no longer be distributed under the three-clause Berkeley Software Distribution (BSD). The new source-available licenses allow us to sustainably provide permissive use of our source code.

We’re leading Redis into its next phase of development as a real-time data platform with a unified set of clients, tools, and core Redis product offerings. The Redis source code will continue to be freely available to developers, customers, and partners through Redis Community Edition. Future Redis source-available releases will unify core Redis with Redis Stack, including search, JSON, vector, probabilistic, and time-series data models in one free, easy-to-use package as downloadable software. This will allow anyone to easily use Redis across a variety of contexts, including as a high-performance key/value and document store, a powerful query engine, and a low-latency vector database powering generative AI applications. […]

Under the new license, cloud service providers hosting Redis offerings will no longer be permitted to use the source code of Redis free of charge. For example, cloud service providers will be able to deliver Redis 7.4 only after agreeing to licensing terms with Redis, the maintainers of the Redis code. These agreements will underpin support for existing integrated solutions and provide full access to forthcoming Redis innovations. In practice, nothing changes for the Redis developer community who will continue to enjoy permissive licensing under the dual license. At the same time, all the Redis client libraries under the responsibility of Redis will remain open source licensed. Redis will continue to support its vast partner ecosystem — including managed service providers and system integrators — with exclusive access to all future releases, updates, and features developed and delivered by Redis through its Partner Program. There is no change for existing Redis Enterprise customers.

Read more of this story at Slashdot.

Apple Launches All-In-One ‘Manuals, Specs, and Downloads’ Website

EPA Sets Strict New Limits On Tailpipe Emissions That Could Boost EV Sector

sinij shares a report from the New York Post: The Biden administration finalized its crackdown on gas cars Wednesday, with the Environmental Protection Agency announcing drastic climate regulations meant to ensure more than two-thirds of passenger cars and light trucks sold by 2032 are electric or hybrid vehicles. The EPA rule imposes strict limits on tailpipe pollution, limits the agency says can be met if 56% of new vehicles sold in the US are electric by eight years from now, along with 13% that are plug-in hybrids or other partially electric cars. That would be a huge increase over current EV sales, which rose to 7.6% of new vehicle sales last year, up from 5.8% in 2022. […] The new rule slows implementation of stricter pollution standards from 2027 through 2029, before ramping up to near the level the EPA preferred by 2032. “Personal car ownership is about to get A LOT more expensive as it will have to carry the costs of deep discounts to entice EV sales,” adds Slashdot reader sinij.

Read more of this story at Slashdot.

Epic Games Store To Launch On iOS and Android This Year, Will Take 12% Cut of Sales In EU

During its State of Unreal presentation at GDC 2024 today, Epic Games confirmed its plans to bring the Epic Games Store to iOS and Android before the end of the year. The company also shared more details about its app marketplace for iOS in the European Union. As reported by 9to5Mac, Epic Games said it will take a 12% commission from sales. From the report: Epic says the terms for developers will be the same via the Epic Games Store on mobile as they are on the Epic Games Store on PC. As such, the company will take a 12% commission on all sales through the Epic Games Store. The revenue share is 100% for the developer during the first six months on the Epic Games Store. The Epic Games Store will feature Epic’s own content, including Fortnite, alongside a selection of third-party partners. The company says it will share additional details in the lead-up to the launch later this year.

Read more of this story at Slashdot.

Woman With $2.5 Billion In Bitcoin Convicted of Money Laundering

mrspoonsi shares a report from the BBC: A former takeaway worker found with Bitcoin worth more than $2.5 billion has been convicted at Southwark Crown Court of a crime linked to money laundering. Jian Wen, 42, from Hendon in north London, was involved in converting the currency into assets including multi-million-pound houses and jewelry. On Monday she was convicted of entering into or becoming concerned in a money laundering arrangement. The Met said the seizure is the largest of its kind in the UK.

Although Wen was living in a flat above a Chinese restaurant in Leeds when she became involved in the criminal activity, her new lifestyle saw her move into a six-bedroom house in north London in 2017 which was rented for more than $21,000 per month. She posed as an employee of an international jewelry business and moved her son to the UK to attend private school, the Crown Prosecution Service (CPS) said. That same year, Wen tried to buy a string of expensive houses in London, but struggled to pass money-laundering checks and her claims she had earned millions legitimately mining Bitcoin were not believed. She later travelled abroad, buying jewelry worth tens of thousands of pounds in Zurich, and purchasing properties in Dubai in 2019.

Another suspect is thought to be behind the fraud but they remain at large. The Met said it carried out a large scale investigation as part of the case – searching several addresses, reviewing 48 electronic devices, and examining thousands of digital files including many which were translated from Mandarin. The CPS has obtained a freezing order from the High Court, while it carries out a civil recovery investigation that could lead to the forfeiture of the Bitcoin. The value of the Bitcoin was worth around $2.5 billion at the time of initial estimates — but due to the fluctuation in the currency’s value, it has since increased to around $4.3 billion.

Read more of this story at Slashdot.