Today's anonymous submitter spent a few weeks feeling pretty good about themselves. You see, they'd inherited a gigantic and complex pile of code, an application spread out across 15 backend servers, theoretically organized into "modules" and "microservices" but in reality was a big ball of mud. And after a long and arduous process, they'd dug through that ball of mud and managed to delete 190 files, totaling 30,000 lines of code. That was fully 2/3rds of the total codebase, gone- and yet the tests continued to pass, the application continued to run, and everyone was just much happier with it.

Two weeks later, a new ticket comes in: users are getting a 403 error when trying to access the "User Update" screen. Our submitter has seen a lot of these tickets, and it almost always means that the user's permissions are misconfigured. It's an easy fix, and not a code problem.

Just to be on the safe side, though, they pull up the screen with their account- guaranteed to have the right permissions- and get a 403.

As you can imagine, the temptation to sneak a few fixes in alongside this massive refactoring was impossible to resist. One of the problems was that most of their routes were camelCase URLs, but userupdate was not. So they'd fixed it. It was a minor change, and it worked in testing. So what was happening?

Well, there was a legacy authorization database. It was one of those 15 backend servers, and it ran no web code, and thus wasn't touched by our submitter's refactoring. Despite their web layer having copious authorization and authentication code, someone had decided back in the olden days, to implement that authorization and authentication in its own database.

Not every request went through this database. It impacted new sessions, but only under specific conditions. But this database had a table in it, which listed off all the routes. And unlike the web code, which used regular expressions for checking routes, and were case insensitive, this database did a strict equality comparison.

The fix was simple: update the table to allow userUpdate. But it also pointed towards a deeper, meaner target for future refactoring: dealing with this sometimes required (but often not!) authentication step lurking in a database that no one had thought about until our submitter's refactoring broke something.

[Advertisement] ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.

An anonymous reader quotes a report from The Guardian: Bolstered by Silicon Valley investment, scientists are making such rapid progress that lab-grown human eggs and sperm could be a reality within a decade, a meeting of the Human Fertilization and Embryology Authority board heard last week (PDF). In-vitro gametes (IVGs), eggs or sperm that are created in the lab from genetically reprogrammed skin or stem cells, are viewed as the holy grail of fertility research. The technology promises to remove age barriers to conception and could pave the way for same-sex couples to have biological children together. It also poses unprecedented medical and ethical risks, which the HFEA now believes need to be considered in a proposed overhaul of fertility laws. Peter Thompson, chief executive of the HFEA, said: "In-vitro gametes have the potential to vastly increase the availability of human sperm and eggs for research and, if proved safe, effective, and publicly acceptable, to provide new fertility treatment options for men with low sperm counts and women with low ovarian reserve." The technology also heralds more radical possibilities including "solo parenting" and "multiplex parenting." Julia Chain, chair of HFEA, said: "It feels like we ought to have Steven Spielberg on this committee," in a brief moment of levity in the discussion of how technology should be regulated. Lab-grown eggs have already been used produce healthy babies in mice -- including ones with two biological fathers. The equivalent feat is yet to be achieved using human cells, but US startups such as Conception and Gameto claim to be closing in on this prize. The HFEA meeting noted that estimated timeframes ranged from two to three years -- deemed to be optimistic -- to a decade, with several clinicians at the meeting sharing the view that IVGs appeared destined to become "a routine part of clinical practice." The clinical use of IVGs would be prohibited under current law and there would be significant hurdles to proving that IVGs are safe, given that any unintended genetic changes to the cells would be passed down to all future generations. The technology also opens up myriad ethical issues. Thompson said: "Research on IVGs is progressing quickly but it is not yet clear when they might be a viable option in treatment. IVGs raise important questions and that is why the HFEA has recommended that they should be subject to statutory regulation in time, and that biologically dangerous use of IVGs in treatment should never be permitted." "This is the latest of a range of detailed recommendations on scientific developments that we are looking at to future-proof the HFE Act, but any decisions around UK modernizing fertility law are a matter for parliament."

Read more of this story at Slashdot.

sciencehabit shares a report from Science: Legend has it that if you walk along Old Light Road in Summerville, South Carolina, you might see an eerie glow hovering over an abandoned rail line in the nearby woods. Old-timers will tell you it's a spectral lantern held by the apparition of a woman searching for her decapitated husband's head. Susan Hough has proposed a scientific explanation that is far more plausible, however. A seismologist with the U.S. Geological Survey, she believes the so-called Summerville Light could represent a rare natural phenomenon: earthquake lights. Sparks from steel rail tracks could ignite radon or other gases released from the ground by seismic shaking, Hough explains in an interview with Science. In Summerville, I think it's the railroad tracks that matter. I've crawled around tracks during my fieldwork in South Carolina. Historically, when [rail companies] replaced tracks, they didn't always haul the old track away. So, you've got heaps of steel out there. Sparks might be part of the story. And maybe the railroads are important for another reason. They may naturally follow fault lines that have carved corridors through the landscape. The findings have been published in the journal Seismological Research Letters. Hough also cites a paper published by Japanese scientist Yuji Enomoto that connects earthquake lights to the release of gases like radon or methane.

Read more of this story at Slashdot.

Google has appealed a record $4.5 billion EU antitrust fine to the European Court of Justice, arguing that the European Commission's decision punished its innovation and imposed unfair penalties for agreements requiring pre-installation of its apps on Android devices. Reuters reports: Google's appeal to the Luxembourg-based Court of Justice of the European Union comes two years after a lower tribunal sided with the European Commission which said the company used its Android mobile operating system to quash rivals. The lower court trimmed the fine to 4.1 billion euros. "Google does not contest or shy away from its responsibility under the law, but the Commission also has a responsibility when it runs investigations, when it seeks to reshape markets and second-guess pro-competitive business models, and when it imposes multi-billion-euro fines," Google lawyer Alfonso Lamadrid told the court. "In this case, the Commission failed to discharge its burden and its responsibility and, relying on multiple errors of law, punished Google for its superior merits, attractiveness and innovation," he said. The final ruling is expected in the coming months and cannot be appealed.

Read more of this story at Slashdot.

During the first press briefing of Donald Trump's second administration, White House press secretary, Karoline Leavitt, said that the National Security Council was "looking into" the potential security implications of China's DeepSeek AI startup. Axios reports: DeepSeek's low-cost but highly advanced models have shaken the consensus that the U.S. had a strong lead in the AI race with China. Responding to a question from Axios' Mike Allen, Leavitt said President Trump saw this as a "wake-up call" for the U.S. AI industry, but remained confident "we'll restore American dominance." Leavitt said she had personally discussed the matter with the NSC earlier on Tuesday. In the combative tone that characterized much of her first briefing, Leavitt claimed the Biden administration "sat on its hands and allowed China to rapidly develop this AI program," while Trump had moved quickly to appoint an AI czar and loosen regulations on the AI industry. Leavitt also commented on the mysterious drones spotted flying around New Jersey at the end of last year, saying they were "authorized to be flown by the FAA."

Read more of this story at Slashdot.

An anonymous reader quotes a report from the Hill: Two federal employees are suing the Office of Personnel Management (OPM) to block the agency from creating a new email distribution system -- an action that comes as the information will reportedly be directed to a former staffer to Elon Musk now at the agency. The suit (PDF), launched by two anonymous federal employees, ties together two events that have alarmed members of the federal workforce and prompted privacy concerns. That includes an unusual email from OPM last Thursday reviewed by The Hill said the agency was testing "a new capability" to reach all federal employees -- a departure from staffers typically being contacted directly by their agency's human resources department. Also cited in the suit is an anonymous Reddit post Monday from someone purporting to be an OPM employee, saying a new server was installed at their office after a career employee refused to set up a direct line of communication to all federal employees. According to the post, instructions have been given to share responses to the email to OPM chief of staff Amanda Scales, a former employee at Musk's AI company. Federal agencies have separately been directed to send Scales a list of all employees still on their one-year probationary status, and therefore easier to remove from government. The suit says the actions violate the E-Government Act of 2002, which requires a Privacy Impact Assessment before pushing ahead with creation of databases that store personally identifiable information. Kel McClanahan, executive director of National Security Counselors, a non-profit law firm, noted that OPM has been hacked before and has a duty to protect employees' information. "Because they did that without any indications to the public of how this thing was being managed -- they can't do that for security reasons. They can't do that because they have not given anybody any reason to believe that this server is secure.that this server is storing this information in the proper format that would prevent it from being hacked," he said. McClanahan noted that the emails appear to be an effort to create a master list of federal government employees, as "System of Records Notices" are typically managed by each department. "I think part of the reason -- and this is just my own speculation -- that they're doing this is to try and create that database. And they're trying to sort of create it by smushing together all these other databases and telling everyone who receives the email to respond," he said.

Read more of this story at Slashdot.

During the first press briefing of Donald Trump's second administration, White House press secretary, Karoline Leavitt, said the mysterious drones spotted flying around New Jersey at the end of last year were "authorized to be flown by the FAA." "After research and study, the drones that were flying over New Jersey in large numbers were authorized to be flown by the FAA for research and various other reasons," she said, adding that "many of these drones were also hobbyists, recreational and private individuals that enjoy flying drones." Leavitt added: "In time, it got worse due to curiosity. This was not the enemy." The drone sightings prompted local and federal officials to urge Congress to pass drone-defense legislation. The FAA issued a monthslong ban on drone flights over a large swatch of New Jersey while authorities invested the sightings. The Biden administration insisted that the drones were "nothing nefarious" and that there was "no sense of danger."

Read more of this story at Slashdot.

The XB-1, a civilian supersonic jet developed by Boom Supersonic, successfully broke the sound barrier during a test flight over the Mojave Desert. It reached an altitude of 35,290 feet before accelerating to Mach 1.22, the company said in a press release. CBS News reports: It marks the first time an independently developed jet has broken the sound barrier, Boom Supersonic said, and the plane is the "first supersonic jet made in America." The sound barrier was broken for the first time in 1947, when Air Force pilot Capt. Chuck Yeager flew a rocket-propelled experimental aircraft across the Mojave Desert -- taking off from the Mojave Air and Space Port just as the XB-1 did. [...] The company will next focus its attention on Overture, a supersonic airliner that will ultimately "bring the benefits of supersonic flight to everyone," Boom Supersonic founder and CEO Blake Scholl said in a statement. The XB-1 jet will be the foundation for Overture, Boom Supersonic said, and many features present on the jet will also be incorporated into the supersonic airliner. The airliner will also use Boom Supersonic's bespoke propulsion system, Symphony, to run on "up to 100% sustainable aviation fuel." The company said the goal for the plane is for it to be able to carry between 64 and 80 passengers at Mach 1.7, or about 1,295 miles per hour. Existing subsonic airliners fly at between 550 and 600 miles per hour, according to charter company Bitlux. About 130 Overture planes have been pre-ordered, the company said. Airlines including American Airlines, United Airlines and Japan Airlines have placed pre-orders. The company finished building a "superfactory" in North Carolina in 2024, and will eventually produce 66 planes per year.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Apple-designed chips powering Macs, iPhones, and iPads contain two newly discovered vulnerabilities that leak credit card information, locations, and other sensitive data from the Chrome and Safari browsers as they visit sites such as iCloud Calendar, Google Maps, and Proton Mail. The vulnerabilities, affecting the CPUs in later generations of Apple A- and M-series chip sets, open them to side channel attacks, a class of exploit that infers secrets by measuring manifestations such as timing, sound, and power consumption. Both side channels are the result of the chips' use of speculative execution, a performance optimization that improves speed by predicting the control flow the CPUs should take and following that path, rather than the instruction order in the program. [...] The researchers published a list of mitigations they believe will address the vulnerabilities allowing both the FLOP and SLAP attacks. They said that Apple officials have indicated privately to them that they plan to release patches. In an email, an Apple representative declined to say if any such plans exist. "We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these types of threats," the spokesperson wrote. "Based on our analysis, we do not believe this issue poses an immediate risk to our users." FLOP, short for Faulty Load Operation Predictor, exploits a vulnerability in the Load Value Predictor (LVP) found in Apple's A- and M-series chipsets. By inducing the LVP to predict incorrect memory values during speculative execution, attackers can access sensitive information such as location history, email content, calendar events, and credit card details. This attack works on both Safari and Chrome browsers and affects devices including Macs (2022 onward), iPads, and iPhones (September 2021 onward). FLOP requires the victim to interact with an attacker's page while logged into sensitive websites, making it highly dangerous due to its broad data access capabilities. SLAP, on the other hand, stands for Speculative Load Address Predictor and targets the Load Address Predictor (LAP) in Apple silicon, exploiting its ability to predict memory locations. By forcing LAP to mispredict, attackers can access sensitive data from other browser tabs, such as Gmail content, Amazon purchase details, and Reddit comments. Unlike FLOP, SLAP is limited to Safari and can only read memory strings adjacent to the attacker's own data. It affects the same range of devices as FLOP but is less severe due to its narrower scope and browser-specific nature. SLAP demonstrates how speculative execution can compromise browser process isolation.

Read more of this story at Slashdot.

Hugging Face researchers are attempting to recreate DeepSeek's R1 artificial intelligence model in an open-source format, just days after the Chinese AI lab's release sent markets soaring. The project, called Open-R1, aims to replicate R1's reasoning capabilities while making its training data and code publicly available. DeepSeek's R1 model, which matches or surpasses OpenAI's o1 on several benchmarks, was released with a permissive license but keeps its underlying architecture private. Hugging Face will use its research server with 768 Nvidia H100 GPUs for the effort.

Read more of this story at Slashdot.

The Federal Communications Commission will abandon a proposal that would have banned mandatory internet service charges for apartment and condominium residents. FCC Chair Brendan Carr halted the Biden-era plan that sought to prevent landlords from requiring tenants to pay for specific broadband providers. Housing industry groups said they welcomed the decision, arguing bulk billing arrangements help secure discounted rates. They claim these agreements can reduce internet costs by up to 50%. However, public interest advocates, who backed the original proposal, contend that landlords don't always pass these savings to tenants.

Read more of this story at Slashdot.

Companies are planning smaller raises this year, according to a new survey of chief financial officers from Gartner. From a report: It's become harder to find a job, particularly in the white-collar world. So employers are far less worried about people quitting and don't need to do as much to get workers to stick around. "Nobody is talking about the Great Resignation anymore," says Randeep Rathindran, a vice president in the finance practice at Gartner. The vast majority of employers, 94%, are still planning raises this year, per Gartner, which surveyed 300 CFOs and finance executives. The amounts are just smaller now. The share of CFOs planning to raise average employee compensation by 4% or more in 2025 fell to 61% from 86% in 2023.

Read more of this story at Slashdot.

An anonymous reader shares a report: LinkedIn has removed at least two accounts that were created for AI "co-workers" whose profile images said they were "#OpenToWork." "I don't need coffee breaks, I don't miss deadlines, and I'll outperform any social media team you've ever worked with -- Guaranteed," the profile page for one of these AI accounts called Ella said. "Tired of human 'experts' making excuses? I deliver, period." The #OpenToWork flair on profile pictures is a feature on LinkedIn that lets people clearly signal they are looking for a job on the professional networking platform. "People expect the people and conversations they find on LinkedIn to be real," a LinkedIn spokesperson told me in an email. "Our policies are very clear that the creation of a fake account is a violation of our terms of service, and we'll remove them when we find them, as we did in this case." The AI profiles were created by an Israeli company called Marketeam, which offers "dedicated AI agents" that integrate with a client's marketing team and help them execute their marketing strategies "from social media and content marketing to SEO, RTM, ad campaigns, and more."

Read more of this story at Slashdot.

The Bulletin of Atomic Scientists moved their Doomsday Clock to 89 seconds before midnight on Tuesday, the closest to catastrophe in the timepiece's 78-year history. The Chicago-based group cited Russia's nuclear threats during its Ukraine invasion, growing tensions in the Middle East, China's military pressure near Taiwan, and the rapid advancement of AI as key factors. The symbolic clock, created in 1947 by scientists including Albert Einstein, moved one second closer than last year's setting.

Read more of this story at Slashdot.

The UK is considering making households who only use streaming services such as Netflix and Disney pay the BBC license fee, as part of plans to modernize the way it funds the public-service broadcaster. Bloomberg: Extending the fee to streaming applications is on a menu of options being discussed by Prime Minister Keir Starmer's office, the Treasury and the Department for Culture, Media and Sport, according to people familiar with the matter who asked not to be named discussing internal government deliberations. Alternatives under discussion include allowing the British Broadcasting Corp. to use advertising, imposing a specific tax on streaming services, and asking those who listen to BBC radio to pay a fee. The government is the early stages of examining how to overhaul the funding of Britain's public broadcaster when its current 11-year charter ends on Dec. 31, 2027. Ministers are looking to either retain and alter the current television license fee model or scrap it and instead fund the BBC through alternative models such as taxation or subscription. That's because viewing habits have changed as users gravitate toward on-demand services. [...] The license fee dates back to 1946, when consumers watched programs at the time of broadcast. It currently costs households who watch live TV or use BBC iPlayer $210.6 a year, an amount that usually rises annually with inflation. Even if they don't watch BBC programs, households are required to hold a TV license to view or stream programs live on sites including YouTube and Amazon Prime Video. However it's not needed by those who only watch on-demand, non-BBC content.

Read more of this story at Slashdot.

Garmin smartwatches are freezing in boot loops, users are reporting globally, with devices displaying a "blue triangle of death" when attempting GPS activities, affecting models across the Epix, Venu, Forerunner, Descent, and Fenix lines.

Read more of this story at Slashdot.

Google says it will end Chrome Sync support for browser versions more than four years old starting in early 2025. Users running outdated Chrome versions will see error messages prompting them to update their browsers to maintain access to synced data across devices. Those unable to update to newer versions will permanently lose the syncing feature, according to the firm.

Read more of this story at Slashdot.

The UK's competition watchdog has found that its $11.2 billion cloud services market "is not working," with Amazon Web Services and Microsoft each controlling up to 40% of the market. In provisional findings released Tuesday, the Competition and Markets Authority said the lack of competition likely leads to higher costs and reduced innovation for UK businesses. The regulator has recommended designating both companies with "strategic market status," which would allow closer scrutiny of their practices, including Microsoft's software licensing and AWS's data transfer fees.

Read more of this story at Slashdot.

Bookshop.org has launched an e-book platform and mobile app that allows independent bookstores to sell digital books, marking its latest effort to compete with Amazon in the online book market. The platform enables bookstores to sell e-books directly through their websites, with stores receiving all profits from direct sales. When customers buy e-books through Bookshop.org without selecting a specific store, 30% of profits will be shared among member bookstores. The move comes as most independent bookstores remain shut out of the growing digital book market. Only 18% of independent stores currently sell e-books, according to a 2023 American Booksellers Association survey. Since its 2020 launch, Bookshop.org has generated more than $35 million in profits for over 2,200 independent bookstores through physical book sales. The site will initially offer more than one million digital titles and plans to add self-published works later this year.

Read more of this story at Slashdot.

Nvidia shares plunged 17% on Monday, wiping nearly $600 billion from its market value, after Chinese AI firm DeepSeek's breakthrough, but analysts are questioning the cost narrative. DeepSeek said to have trained its December V3 model for $5.6 million, but chip consultancy SemiAnalysis suggested this figure doesn't reflect total investments. "DeepSeek has spent well over $500 million on GPUs over the history of the company," Dylan Patel of SemiAnalysis said. "While their training run was very efficient, it required significant experimentation and testing to work." The steep sell-off led to the Philadelphia Semiconductor index's worst daily drop since March 2020 at 9.2%, generating $6.75 billion in profits for short sellers, according to data group S3 Partners. DeepSeek's engineers also demonstrated they could write code without relying on Nvidia's Cuda software platform, which is widely seen as crucial to the Silicon Valley chipmaker's dominance of AI development.

Read more of this story at Slashdot.