Researchers have identified a zero-day exploit for the Telegram messaging app on Android devices that could have allowed attackers to send malicious payloads disguised as legitimate files. From a report: The exploit was built to abuse a vulnerability that Slovakia-based firm ESET dubbed EvilVideo. Telegram fixed the bug earlier this month in versions 10.14.5 and above after researchers reported it. Threat actors had about five weeks to exploit the zero-day before it was patched, but it's not clear if it was used in the wild, ESET said. ESET discovered the exploit on an underground forum in early June. It was sold for an unspecified price by a user with the username "Ancryno." In its post, the seller showed screenshots and a video of testing the exploit in a public Telegram channel. In unpatched versions of Telegram for Android, attackers could use the exploit to send malicious payloads via Telegram channels, groups and chats, making them appear as multimedia files. The exploit takes advantage of Telegram's default setting to automatically download media files. The option can be disabled manually, but in that case, the payload could still be installed on the device if a user tapped the download button in the top left corner of the shared file. If the user tried to play the "video," Telegram displayed a message that it was unable to play it and suggested using an external player. The hackers disguised a malicious app as this external player.

Read more of this story at Slashdot.

In an interview with The Verge's Nilay Patel, Rivian founder and CEO RJ Scaringe said the automaker has no plans to adopt Apple CarPlay in its vehicles. "We have a great relationship with Apple," he said. "As much as I love their products, there's a reason that ironically is very consistent with Apple ethos for us to want to control the ecosystem." CarPlay isn't "consistent with how we think about really creating a pure product experience," Scaringe said. From the report: One example given by Scaringe includes CarPlay's inability to "leverage other parts of the vehicle experience," which would require Rivian customers to leave the app in order to do things like open the vehicle's front trunk. "We've taken the view of the digital experience in the vehicle wants to feel consistent and holistically harmonious across every touchpoint," said Scaringe. Instead, the Rivian CEO says the company will eventually add CarPlay's most desirable features "but on an a la carte basis." Scaringe says that excluding CarPlay will allow the company to be more selective about features like routing and mapping charging points, noting that Rivian had acquired route planning app maker Iternio last year to facilitate that. "We recognize that it'll take us time to fully capture every feature that's in CarPlay, and hopefully, customers are seeing that. I think it often gets more noise than it deserves," Scaringe said in the interview. "The other thing beyond mapping that's coming is better integration with texting. We know that needs to come, and it's something that teams are actively working on."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Reuters: Boeing-owned Wisk Aero expects its pilotless air-taxi to begin carrying passengers "later in the decade" as it works with the U.S. regulator to secure approvals, its CEO said on Monday, amid skepticism among industry analysts about certification timelines. Wisk is one of several electric vertical take-off and landing (eVTOL) aircraft makers that have emerged over the last few years with a promise to provide an environmentally-friendly mode of transport in congested cities. But the industry faces technological hurdles such as making batteries powerful enough for companies to make more trips on a single charge. They also need to convince regulators and the public that the aircraft are safe, a barrier that is higher when the aircraft is autonomous. Wisk is developing a four-seater autonomous aircraft that will have a range of 90 miles (145 km). "We are right now testing and producing the elements of this aircraft that we will hope to fly around the end of this year," CEO Brian Yutko told reporters at the Farnborough Airshow. Wisk's strategy is a departure from other major air-taxi makers, which are developing models that will require a pilot to fly the aircraft. The company has said operators of its aircraft will save on pilot costs. But industry experts at Bain say a full autonomous passenger flight is not expected before the late 2030s and pilotless aircraft will face competition from autonomous vehicles on the road. "Maximizing passenger occupancy and avoiding return trips with empty aircraft will be crucial for operator profitability," said Mattia Celli, one of the authors of the Bain report.

Read more of this story at Slashdot.

In a blog post today, Google said it has an "updated approach" that won't involve "deprecating third-party cookies" in Chrome. Instead, it's introducing "a new experience in Chrome that lets people make an informed choice that applies across their web browsing," which they'd be able to adjust at any time. Digiday reports: Google executives are already discussing this pivot with regulators including the U.K.'s Competition and Markets Authority (CMA) and Information Commissioner's Office (ICO) and plan to do the same with the industry soon. For now, details on what this actually means remain light. And as for a timeline, Google seems to have learned its lesson from the numerous delays to its cookie-killing plans -- there isn't one. "As this moves forward, it remains important for developers to have privacy-preserving alternatives," Anthony Chavez, vp of the Privacy Sandbox, said in the blog post. "We'll continue to make the Privacy Sandbox APIs available and invest in them to further improve privacy and utility." For those who have poured time and effort into third-party cookie alternatives, fear not: Google will keep the APIs in the Sandbox. Your work isn't going to waste. In fact, the plan is to continue to invest in them, continued Chavez, to further improve "privacy and utility." Plus, additional privacy controls, like the recently announced IP Protection (i.e. IP masking for privacy protection) in Chrome's Incognito mode, will be added to the Sandbox. "We developed the Privacy Sandbox with the goal of finding innovative solutions that meaningfully improve online privacy while preserving an ad-supported internet that supports a vibrant ecosystem of publishers, connects businesses with customers, and offers all of us free access to a wide range of content," Chavez wrote in the blog post. Or, to put it another way, the Sandbox isn't going anywhere anytime soon.

Read more of this story at Slashdot.

An anonymous reader writes: Windows users are being notified that their systems aren't backed up with the built-in Windows backup solution. A corresponding message appears with the advice that it's best to make backups so that all data is stored "in case something happens to the PC." It almost reads like an indirect threat, but Microsoft is actually just pointing out the option to store file backups on its own OneDrive cloud service. And it's also advertising more storage space.

Read more of this story at Slashdot.

Waymo, a subsidiary of Google's parent Alphabet, has taken legal action against alleged vandals targeting its self-driving taxi fleet in San Francisco, according to court documents. The company, which operates ride-hailing services in several U.S. cities, has filed two lawsuits seeking substantial damages for incidents that reportedly resulted in extensive damage to vehicle tires and bodywork, Wired reported Monday.

Read more of this story at Slashdot.

Something is pumping out large amounts of oxygen at the bottom of the Pacific Ocean, at depths where a total lack of sunlight makes photosynthesis impossible. Nature: The phenomenon was discovered in a region strewn with ancient, plum-sized formations called polymetallic nodules, which could play a part in the oxygen production by catalysing the splitting of water molecules, researchers suspect. The findings are published in Nature Geoscience. "We have another source of oxygen on the planet, other than photosynthesis," says study co-author Andrew Sweetman, a sea-floor ecologist at the Scottish Association for Marine Science in Oban, UK -- although the mechanism behind this oxygen production remains a mystery. The findings could also have implications for understanding how life began, he says, as well as for the possible impact of deep-sea mining in the region. The observation is "fascinating," says Donald Canfield, a biogeochemist at the University of Southern Denmark in Odense. "But I find it frustrating, because it raises a lot of questions and not very many answers." Sweetman and his collaborators first noticed something amiss during field work in 2013. The researchers were studying sea-floor ecosystems in the Clarion-Clipperton Zone, an area between Hawaii and Mexico that is larger than India and a potential target for the mining of metal-rich nodules. During such expeditions, the team releases a module that sinks to the sea floor to perform automated experiments. Once there, the module drives cylindrical chambers down to close off small sections of the sea floor -- together with some seawater -- and create "an enclosed microcosm of the seafloor," the authors write. The lander then measures how the concentration of oxygen in the confined seawater changes over periods of up to several days. Without any photosynthetic organisms releasing oxygen into the water, and with any other organisms consuming the gas, oxygen concentrations inside the chambers should slowly fall. Sweetman has seen that happen in studies he has conducted in areas of the Southern, Arctic and Indian oceans, and in the Atlantic. Around the world, sea-floor ecosystems owe their existence to oxygen carried by currents from the surface, and would quickly die if cut off. (Most of that oxygen originates in the North Atlantic and is carried to deep oceans around the world by a 'global conveyor belt.')

Read more of this story at Slashdot.

Verizon reported a significant loss of wireless subscribers in the second quarter, with its consumer business shedding 624,000 prepaid customers, largely due to the expiration of the federal Affordable Connectivity Program in May. The telecom giant attributed over half of these losses to the end of the COVID-era internet subsidy that had previously supported 23 million low-income households across the United States. Despite the subscriber exodus, Verizon managed to add 148,000 net monthly bill-paying wireless phone subscribers during the period.

Read more of this story at Slashdot.

Luxury carmaker Porsche expects the transition to electric vehicles to take longer than it thought, it said on Monday, having previously said its aim was for 80% of sales to be all-electric by 2030. From a report: It has now watered down that goal by tying it explicitly to customer demand and developments in the electromobility sector, saying in a statement only that it could now deliver on the 80% target if those factors warrant it. "The transition to electric cars is taking longer than we thought five years ago," Porsche said in a statement. "Our product strategy is set up such that we could deliver over 80% of our vehicles as all electric in 2030 - dependent on customer demand and the development of electromobility."

Read more of this story at Slashdot.

An amateur photographer has documented his experience with at-home color film development and digitization. The process, initially undertaken for cost savings, involves a complex setup including a changing bag, developing tank, chemicals, and a DSLR scanning system, the author argues. Key challenges reported include film loading in darkness and achieving consistent image quality. Despite mixed results, the hobbyist -- Jason Koebler, an editor of 404 Media, a new publication that we have linked to quite a few times in recent months -- nonetheless cites satisfaction with the artistic and analog aspects of the process. He concludes: I have obviously (obviously!) not saved any money yet by doing this myself at home. I have spent many hundreds of dollars to develop about 20 rolls of film at home, and have achieved results that I am both amazed by and also frustrated with. The amazement comes from the fact that any of this actually works at all, and the knowledge that I am trying my best and having fun. The frustration comes from the blurry photos. It's all part of the process, I guess.

Read more of this story at Slashdot.

Intel continues to grapple with the mystery surrounding crashes in its latest 13th- and 14th-gen Core desktop processors, but it's refuting claims that the issue extends to its mobile chips. From a report: Matthew Cassells, the founder of Alderon Games and developer of Path of Titans, claimed on Reddit that the company had noted crashes on Intel's mobile processors. "Yes we have several laptops that have failed with the same crashes," he wrote. "It's just slightly more rare then [sic] the desktop CPU faults." Previously, Alderon had issued a statement blaming "thousands of crashes," as noted by its own crash reports on the Intel CPUs. It also claimed it would switch its server infrastructure to chips made by AMD. Intel's problem with its latest Core chips has persisted since January, but simmered for months while developers began pointing fingers and PC makers started working on solutions. To date, the most bulletproof solution has been simply to swap out an affected part for a replacement, which Intel has been willing to do. Intel has also issued guidance as to what power-profile settings users and board makers should use while it works to solve the problem. An Intel representative said Friday via e-mail that Intel still remains in the dark about the root cause of the issue. However, Intel claims that its mobile processors aren't being affected.

Read more of this story at Slashdot.

The United States has claimed victory at the International Mathematical Olympiad in Chiang Mai, Thailand, marking its first win in over two decades. The competition, which pitted top-ranked high school math students from more than 100 countries against each other, saw the U.S. team emerge triumphant after two days of intense problem-solving. NPR adds: The U.S. team last won the Olympiad in 1994. Reports in recent years have raised concerns that American math students are falling behind those in the rest of the world. But, Po-Shen Loh, a professor at Carnegie Mellon University and head coach for Team USA, says, "At least in this case with the Olympiads, we've been able to prove that our top Americans are certainly at the level of the top people from the other countries."

Read more of this story at Slashdot.

OpenResearch, a lab funded by OpenAI CEO Sam Altman, has released initial findings from a comprehensive study on unconditional cash transfers. The experiment, conducted from 2020 to 2023, provided $1,000 monthly to 1,000 low-income Americans across Illinois and Texas. Results showed recipients primarily used the funds for basic needs and increased spending on healthcare and leisure activities. While the cash boost led to some positive outcomes, including increased business startups among Black recipients and women, it did not significantly improve long-term financial health or physical well-being. The study also noted a reduction in work hours among participants, with earnings dropping by at least 12 cents for every dollar received.

Read more of this story at Slashdot.

A Microsoft spokesman says that a 2009 European Commission agreement prevents the company from restricting third-party access to Windows' core functions, shedding light on factors contributing to Friday's widespread outage that affected millions of computers globally. The disruption, which caused the infamous "blue screen of death" on Windows machines across various industries, originated from a faulty update by cybersecurity firm CrowdStrike. The incident highlighted the vulnerability of Microsoft's open ecosystem, mandated by the EU agreement, which requires the tech giant to provide external security software developers the same level of system access as its own products. This policy stands in stark contrast to more closed systems like Apple's.

Read more of this story at Slashdot.

8.5 million Windows devices were ultimately affected by the Crowdstrike outage, according to figures from Microsoft cited by CNN. And now an anonymous Slashdot reader shares CNN's report on the ramifications: What one cybersecurity expert said appears to be the "largest IT outage in history" led to the cancellation of more than 5,000 commercial airline flights worldwide and disrupted businesses from retail sales to package deliveries to procedures at hospitals, costing revenue and staff time and productivity... While CrowdStrike has apologized, it has not mentioned whether or not it intends to provide compensation to affected customers. And when asked by CNN about whether it plans to provide compensation, its response did not address that question. Experts say they expect that there will be demands for remuneration and very possibly lawsuits. "If you're a lawyer for CrowdStrike, you're probably not going to enjoy the rest of your summer," said Dan Ives, a tech analyst for Wedbush Securities.... But there could be legal protections for CrowdStrike in its customer contracts to shield it from liability, according to one expert. "I would guess that the contracts protect them," said James Lewis, researcher at the Center for Strategic and International Studies... It's also not clear how many customers CrowdStrike might lose because of Friday. Wedbush Securities' Ives estimates less than 5% of its customers might go elsewhere. "They're such an entrenched player, to move away from CrowdStrike would be a gamble," he said. It will be difficult, and not without additional costs, for many customers to switch from CrowdStrike to a competitor. But the real hit to CrowdStrike could be reputational damage that will make it difficult to win new customers... [E]ven if customers are understanding, it's likely that CrowdStrike's rivals will be seeking to use Friday's events to try to lure them away. One final note from CNN. Patrick Anderson, CEO of a Michigan research firm called the Anderson Economic Group, "added that the costs could be particularly significant for airlines, due to lost revenue from canceled flights and excess labor and fuel costs for the planes that did fly but faced significant delays." See also: Third Day of 1,000+ Cancelled Flights, Just in the US, After Crowdstrike Outage .

Read more of this story at Slashdot.

Re-visiting the Napster era, Stephen Witt's book How Music Got Free has been adapted into a two-part documentary on Paramount+. But the documentary's director believes "The real innovative minds here were a bunch of rogue teenagers and a guy working a blue-collar factory job in the tiny town of Shelby, North Carolina," according to this article in the Guardian: By day, [Glover] worked at Universal Music's CD manufacturing plant in North Carolina, from which he smuggled out hot albums by stars like Mary J Blige and 50 Cent before they were even released. For the documentary, Glover spoke openly, and largely without regret, as did others who worked at that plant who did their own share of stealing. Part of their incentive was class revenge: while they were paid piddling wages by the hour, the industry used the products they manufactured to mint millions. To maximize profits on his end, Glover set up a subscription service to let those in his circle know what CDs and movies were coming. "He was doing what Netflix would later do," Stapleton said... In the meantime, the record companies and their lobbying arm, the RIAA, focused their wrath on the most public face of file-sharing: Napster. In truth, all Fanning's company did was make more accessible the work the pirates innovated and first distributed... For its part, the music industry reacted in the worst way possible, PR-wise. They sued the kids who made up their strongest fanbase. "One of the key lessons we learned from this era is that you can't sue your way out of a situation like this," Witt said. "You have to build a new technology that supersedes what the pirates did." Eventually, that's what happened, though the first attempts in that direction made things worse than ever for the labels and stars. When Apple first created the iPod in 2001, there wasn't yet an Apple store where listeners could purchase music legally. "It was just a place to put your stolen MP3s," said Witt. Labels couldn't sue Apple because of a ruling dictating that the manufacturer of a device couldn't be held responsible for piracy enacted by its users. While Steve Jobs later modified his approach, creating a way for fans to buy individual songs for the iPod, "that did more damage to the industry than anything", Witt said. "Whereas, before they could sell a $15 CD to fans who really just wanted one song, now those fans could get that song for just a dollar...." Eventually, the collective efforts of the streaming companies returned the music industry to massive profitability, though often at the expense of its artists, who often receive a meager slice of the proceeds.... Things ended less favorably for the pirates, some of whom now have criminal records. Likewise, Glover served a short prison sentence though, today, he is chief maintenance technician at the Ryder Truck manufacturing plant in his home town. A Forbes senior contributor (and director Alexandria Stapleton) believe that for the younger generation it may be "their first introduction to why the music industry is the way that they're used to." And Stapleton says their sympathies are with those factory workers. Stapleton: They were completely underpaid. They were making literally nothing. It's important for people to understand that while the industry was charging $20 for a CD, it cost like 20 cents to make. That's a big profit margin. And to have a factory that was paying barely enough for people to put food on the table, I think there's something wrong with that... Witt: It's amazing to think about what they were really doing, which was essentially filling the technological vacuum that the record industry was refusing to fill, right? The record industry was not building out the successor technology to the compact disc because the compact disc was just too profitable for them. Instead, a bunch of random teenagers built the next generation of technology for them, and yeah, it caused a lot of damage. But I don't think that teenagers were necessarily trying to hurt anyone... They weren't malicious. They just were fascinated by how this stuff worked. And of course, they were also completely entranced by the celebrity of the musicians themselves. In the interview Witt adds that a lot of those teenagers "were really kind of traumatized by their experience with the FBI I would say, and they wanted to get that story out there." The documentary was produced by LeBron James and Eminem, "who rode the tail end of the CD boom to stratospheric heights," remembers a Fast Company opinion columnist. (And 25 years later, that columnist has gone back to listening to vinyl records, which "reignited for me a long-missing air of full engagement... Technology marches forward, except when it occasionally lurches backward...")

Read more of this story at Slashdot.

Jan wrote some code that set a property, and a few lines later had to write code to read that value- and the compiler complained. Which is what drew his attention to this C# code:

public string ViewNodeFilter { protected get { if (viewNodeFilter.IsNotValid()) { return "null"; } return new JavaScriptSerializer().Serialize(viewNodeFilter); } set { viewNodeFilter = value; } }

Now, one of the features of properties in C# is that the getter and setter can have different access levels, which we see here. It's odd and unexpected, and when we look at the implementation, we can see why the getter is protected: it's not a getter, it's a JSON serializer.

But there's a lot more oddness in here. First, the property is a string, so when we serialize it… we're just serializing a string. Then there's also the IsNotValid method, which is not part of string, which implies that it's an extension method. Extension methods are a C# bit of syntactic sugar that allows you to write a function which accepts an object as a parameter (in this case, a string), but invoke the method as if it were a member function of the object. They can be powerful and useful, but this is peak "not how you use this"- every string gets a IsNotValid() method, this way, which is likely not what we want.

This is a surprisingly common problem in the .NET languages, though. Since you can attach code to getters and setters, but access looks just like an assignment expression, people put all sorts of surprising code in there. Would you expect foo = viewNodeFilterHolder.ViewNodeFilter to serialize to JSON? I wouldn't. But since the data is a string, does it matter? Well, it does when I get surprised by the string "null".

All in all, this is an ugly little booby trap, that represents a pattern common in Jan's application.

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.

A ransomware attack has taken down the computer system of America's largest trial court, reports the Associated Press: The cybersecurity attack began early Friday and is not believed to be related to the faulty CrowdStrike software update that has disrupted airlines, hospitals and governments around the world, officials said in a statement Friday. The court disabled its computer network systems upon discovery of the attack, and it will remain down through at least the weekend. Friday's statement called it "a serious security event," adding that the court is receiving help from local, state, and federal law enforcement agencies. "At this time, the preliminary investigation shows no evidence of court users' data being compromised." Over the past few years, the Court has invested heavily in its cybersecurity operations, modernizing its cybersecurity infrastructure and making strategic staff investments in the Cybersecurity Division within Court Technology Services. As a result of this investment, the Court was able to quickly detect an intrusion and address it immediately. Due to the ongoing nature of the investigation, remediation, and recovery, the Court will not comment further until additional information is available for public release. Sunday the Court posted on X.com that they're "working diligently to get the Court's network systems back up and running... "When we have a better understanding of the extent to which the Court will be operational tomorrow, July 22, we will provide information and direction to court users and jurors, likely later this evening."

Read more of this story at Slashdot.

The BBC reports that "while most of the world was grappling with the blue screen of death on Friday," there was one country that managed to escape largely unscathed: China. The reason is actually quite simple: CrowdStrike is hardly used there. Very few organisations will buy software from an American firm that, in the past, has been vocal about the cyber-security threat posed by Beijing. Additionally, China is not as reliant on Microsoft as the rest of the world. Domestic companies such as Alibaba, Tencent and Huawei are the dominant cloud providers. So reports of outages in China, when they did come, were mainly at foreign firms or organisations. On Chinese social media sites, for example, some users complained they were not able to check into international chain hotels such as Sheraton, Marriott and Hyatt in Chinese cities. Over recent years, government organisations, businesses and infrastructure operators have increasingly been replacing foreign IT systems with domestic ones. Some analysts like to call this parallel network the "splinternet". "It's a testament to China's strategic handling of foreign tech operations," says Josh Kennedy White, a cybersecurity expert based in Singapore. "Microsoft operates in China through a local partner, 21Vianet, which manages its services independently of its global infrastructure. This setup insulates China's essential services — like banking and aviation — from global disruptions." "Beijing sees avoiding reliance on foreign systems as a way of shoring up national security." Thanks to long-time Slashdot reader hackingbear for sharing the article.

Read more of this story at Slashdot.

In April the U.S. Space Force began testing "a new ground-based satellite jamming weapon to help keep U.S. military personnel safe from potential 'space-enabled' attacks" (according to a report from Space.com). The weapon was "designed to deny, degrade, or disrupt communications with satellites overhead, typically through overloading specific portions of the electromagnetic spectrum with interference," according to the article, with the miitary describing it as a small form-factor system "designed to be fielded in large numbers at low-cost and operated remotely" and "provide counterspace electronic warfare capability to all of the new Space Force components globally." And now, Bloomberg reports that the U.S. is about to deploy them: The devices aren't meant to protect U.S. satellites from Chinese or Russian jamming but "to responsibly counter adversary satellite communications capabilities that enable attacks," the Space Force said in a statement to Bloomberg News. The Pentagon strives — on the rare occasions when it discusses such space capabilities — to distinguish its emerging satellite-jamming technology as purely defensive and narrowly focused. That's as opposed to a nuclear weapon the U.S. says Russia is developing that could create high-altitude electromagnetic pulses that would take out satellites and disrupt entire communications networks. The first 11 of 24 Remote Modular Terminal jammers will be deployed in several months, and all of them could be in place by Dec. 31 at undisclosed locations, according to the Space Force statement... The new terminals augment a much larger jamming weapon called the Counter Communications System that's already deployed and a mid-sized one called Meadowlands "by providing the ability to have a proliferated, remotely controlled and relatively relocatable capability," the Space Force said. The Meadowlands system has encountered technical challenges that have delayed its delivery until at least October, about two years later than planned. China has "hundreds and hundreds of satellites on orbit designed to find, fix, track, target and yes, potentially engage, US and allied forces across the Indo-Pacific," General Stephen Whiting, head of US Space Command, said Wednesday at the annual Aspen Security Forum. "So we've got to understand that and know what it means for our forces." Bloomberg also got this comment from the chief director of space security and stability at the Secure World Foundation (which produces reports on counterspace weapons). The new U.S. Space Force jamming weapons are "reversible, temporary, non-escalatory and allow for plausible deniability in terms of who the instigator is."

Read more of this story at Slashdot.