An OpenSSL vulnerability once signaled as the first critical-level patch since the Internet-reshaping Heartbleed bug has just been patched. It ultimately arrived as a "high" security fix for a buffer overflow, one that affects all OpenSSL 3.x installations, but is unlikely to lead to remote code execution. From a report: OpenSSL version 3.0.7 was announced last week as a critical security fix release. The specific vulnerabilities (now CVE-2022-37786 and CVE-2022-3602) had been largely unknown until today, but analysts and businesses in the web security field hinted there could be notable problems and maintenance pain. Some Linux distributions, including Fedora, held up releases until the patch was available. Distribution giant Akamai noted before the patch that half of their monitored networks had at least one machine with a vulnerable OpenSSL 3.x instance, and among those networks, between 0.2 and 33 percent of machines were vulnerable. But the specific vulnerabilities -- limited-circumstance, client-side overflows that are mitigated by the stack layout on most modern platforms -- are now patched, and rated as "High." And with OpenSSL 1.1.1 still in its long-term support phase, OpenSSL 3.x is not nearly as widespread. Malware expert Marcus Hutchins points to an OpenSSL commit on GitHub that details the code issues: "fixed two buffer overflows in puny code decoding functions." A malicious email address, verified within an X.509 certificate, could overflow bytes on a stack, resulting in a crash or potentially remote code execution, depending on the platform and configuration.

An anonymous reader quotes a report from Phys.Org: Bumble bees play, according to new research led by Queen Mary University of London published in Animal Behavior. It is the first time that object play behavior has been shown in an insect, adding to mounting evidence that bees may experience positive "feelings." The team of researchers set up numerous experiments to test their hypothesis, which showed that bumble bees went out of their way to roll wooden balls repeatedly despite there being no apparent incentive for doing so. The study also found that younger bees rolled more balls than older bees, mirroring human behavior of young children and other juvenile mammals and birds being the most playful, and that male bees rolled them for longer than their female counterparts.

The study followed 45 bumble bees in an arena and gave them the options of walking through an unobstructed path to reach a feeding area or deviating from this path into the areas with wooden balls. Individual bees rolled balls between 1 and, impressively, 117 times over the experiment. The repeated behavior suggested that ball-rolling was rewarding. This was supported by a further experiment where another 42 bees were given access to two colored chambers, one always containing movable balls and one without any objects. When tested and given a choice between the two chambers, neither containing balls, bees showed a preference for the color of the chamber previously associated with the wooden balls. The set-up of the experiments removed any notion that the bees were moving the balls for any greater purpose other than play. Rolling balls did not contribute to survival strategies, such as gaining food, clearing clutter, or mating and was done under stress-free conditions. [...] The new research showed the bees rolling balls repeatedly without being trained and without receiving any food for doing so -- it was voluntary and spontaneous -- therefore akin to play behavior as seen in other animals. Study first-author, Samadi Galpayage, Ph.D. student at Queen Mary University of London says that "it is certainly mind-blowing, at times amusing, to watch bumble bees show something like play. They approach and manipulate these 'toys' again and again. It goes to show, once more, that despite their little size and tiny brains, they are more than small robotic beings."

"They may actually experience some kind of positive emotional states, even if rudimentary, like other larger fluffy, or not so fluffy, animals do. This sort of finding has implications to our understanding of sentience and welfare of insects and will, hopefully, encourage us to respect and protect life on Earth ever more."

Memtest86+ just got its first update after 9 years. The program has reportedly been rewritten from scratch and is back in active development. The new version, 6.0, features a plethora of updates to bring the application up to date, and support the latest system hardware from Intel and AMD. Tom's Hardware reports: For the uninitiated, MemTest86 was originally created back in the mid 1990s, and was one of the earliest DDR memory testing applications for personal computers. But development stopped in 2013 once Memtest86 was split into Memtest86 and Memtest86", with the former being bought by PassMark. Officially, we don't know why development stopped. But compared to the now modern Memtest86, Memtest86+ is the open-source variant.

Needless to say, version 6.00 features a lot of updates, which were required to bring it up to modern standards compared to the 2013 version. The new version includes completely rewritten code for UEFI-based motherboards, the modern version of a BIOS, for both 32-bit and 64-bit versions of the application. Furthermore, the application features added support for x64 long mode paging, support for up to 256 cores, added detection for DDR4 and DDR5 memory -- since DDR3 was the latest memory standard in 2013 -- and adds support for XMP version 3.0.

CPU support has been significantly enhanced, addingdetection for all pre-Zen and AMD Zen-based processors ranging from the Ryzen 1000 series to 7000 series, and any older parts that were made after 2013. Intel support has also been added for chips up to 13th gen Raptor Lake. Finally, the last patch notes indicate version 6.0 adds support for older Nvidia and AMD chipsets - probably pre-2010 since it mentions Nvidia nForce chipsets, along with numerous bug fixes, optimizations and enhancements.

Bill Gates's climate-oriented venture fund "is plowing more money into climate adaptation," reports MIT Technology Review: To date, the fund has focused on "climate mitigation," which largely concentrates on driving down climate pollution. Climate adaptation refers to developing ways of bolstering protections against the dangers of climate change, rather than just preventing it.

The firm's new focus will include ways to help farmers and communities grapple with increasingly common or severe droughts [possibly through advanced desalination technology or systems that pull moisture out of the air], and helping crops remain productive as the world becomes hotter, wetter, or drier; potentially through indoor farming and genetic alteration. Strengthening the infrastructure of global ports, which face growing threats from sea-level rise and increasingly powerful storms, will also be investigated.
"Investment opportunities there could include dynamic mooring systems that automatically respond to storm surges, cranes that can operate safely in hotter and harsher conditions, and ships that are more rugged," said Eric Toone, technical lead for Breakthrough Energy Ventures' investment committee, in an interview with MIT Technology Review.

"Mitigation's just not going to get us there fast enough, and suffering is unacceptable...." Toone says. "So while our focus will continue to be on mitigation, we will expand our scope to include adaptation."

Firefox 106 is now available for download, bringing various new features and enhancements, such as a new PDF editing feature and new way to organize recently closed tabs. 9to5Linux reports: Mozilla says that Firefox 106 finally brings the long-anticipated two-finger swipe horizontal gesture for navigating back and forward on a website without having to hold down the Alt key. [...] Firefox 106 also introduces annotation capabilities to the built-in PDF viewer so you can write text, draw, or add signatures on PDF files. You'll be able to change the size and color of the text tool, as well as the thickness, opacity, and color of the draw tool.

Another interesting new feature of the Firefox 106 release is called Firefox View, which is implemented as a pinned tab, promising to help you get back to the content you've previously discovered by allowing you to switch seamlessly between your devices running Firefox. On top of all that, Firefox 106 also brings major WebRTC changes to improve Windows and Wayland screen sharing, RTP performance and reliability, statistics, and more. There are also the usual bug and security fixes to make Firefox more stable and reliable on your system.

When a kernel developer asked Linus Torvalds if he'd missed a Git pull, Torvalds "revealed the request was still in his queue as 'I'm doing merges (very slowly) on my laptop, while waiting for new ECC memory DIMMs to arrive,'" reports The Register: Torvalds needs the DIMMs because over the last few days he experienced what he described as "some instability on my main desktop... with random memory corruption in user space resulting in my allmodconfig builds randomly failing with internal compiler errors etc."

The Linux boss's first thought was that a new kernel bug had caused the problem — which isn't good but sometimes happens. His instinct was wrong. "It was literally a DIMM going bad in my machine randomly after 2.5 years of it being perfectly stable," he wrote. "Go figure. Verified first by booting an old kernel, and then with memtest86+ overnight."

Torvalds appears to have been tracking delivery of the new DIMMs as he reported replacement memory was "out for delivery" and predicted it should arrive later on Sunday evening....

His post also mentions that his main PC was set up for error correction code memory (ECC memory), but "during the early days of COVID when there wasn't any ECC memory available at any sane prices. And then I never got around to fixing it, until I had to detect errors the hard way."

"I absolutely *detest* the crazy industry politics and bad vendors that have made ECC memory so 'special'," he added.

An anonymous reader quotes a report from Ars Technica: It's still possible to learn a lot of interesting things about old operating systems. Sometimes, those things are already documented (on a blog post) that miraculously still exist. One such quirk showed up recently when someone noticed how Microsoft made sure that SimCity and other popular apps worked on Windows 95. A recent tweet by @Kalyoshika highlights an excerpt from a blog post by Fog Creek Software co-founder, Stack Overflow co-creator, and longtime software blogger Joel Spolsky. The larger post is about chicken-and-egg OS/software appeal and demand. The part that caught the eye of a Hardcore Gaming 101 podcast co-host is how the Windows 3.1 version of SimCity worked on the Windows 95 system. Windows 95 merged MS-DOS and Windows apps, upgraded APIs from 16 to 32-bit, and was hyper-marketed. A popular app like SimCity, which sold more than 5 million copies, needed to work without a hitch.

Spolsky's post summarizes how SimCity became Windows 95-ready, as he heard it, without input from Maxis or user workarounds: "Jon Ross, who wrote the original version of SimCity for Windows 3.x, told me that he accidentally left a bug in SimCity where he read memory that he had just freed. Yep. It worked fine on Windows 3.x, because the memory never went anywhere. Here's the amazing part: On beta versions of Windows 95, SimCity wasn't working in testing. Microsoft tracked down the bug and added specific code to Windows 95 that looks for SimCity. If it finds SimCity running, it runs the memory allocator in a special mode that doesn't free memory right away. That's the kind of obsession with backward compatibility that made people willing to upgrade to Windows 95."

Spolsky (in 2000) considers this a credit to Microsoft and an example of how to break the chicken-and-egg problem: "provide a backwards compatibility mode which either delivers a truckload of chickens, or a truckload of eggs, depending on how you look at it, and sit back and rake in the bucks." Windows developers may have deserved some sit-back time, seeing the extent of the tweaks they often have to make for individual games and apps in Windows 95. Further in @Kalyoshika's replies, you can find another example, pulled from the Compatibility Administrator in Windows' Assessment and Deployment Kit (ADK). A screenshot from @code_and_beer shows how Windows NT, upon detecting files typically installed with Final Fantasy VII, will implement a fittingly titled compatibility fix: "Win95VersionLie." Simply telling the game that it's on Windows 95 seems to fix a major issue with its operation, along with a few other emulation and virtualization tweaks. "Mike Perry, former creative director at Sim empire Maxis (and later EA), noted later that there was, technically, a 32-bit Windows 95 version of Sim City available, as shown by the 'Deluxe Edition' bundle of the game," adds Ars. "He also states that Ross worked for Microsoft after leaving Maxis, which would further explain why Microsoft was so keen to ensure people could keep building parks in the perfect grid position to improve resident happiness."

Tom's Hardware reports: We recently broke the news that Intel's Alder Lake BIOS source code had been leaked to 4chan and Github, with the 6GB file containing tools and code for building and optimizing BIOS/UEFI images. We reported the leak within hours of the initial occurrence, so we didn't yet have confirmation from Intel that the leak was genuine. Intel has now issued a statement to Tom's Hardware confirming the incident:

"Our proprietary UEFI code appears to have been leaked by a third party. We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure. This code is covered under our bug bounty program within the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them our attention through this program...."


The BIOS/UEFI of a computer initializes the hardware before the operating system has loaded, so among its many responsibilities, is establishing connections to certain security mechanisms, like the TPM (Trusted Platform Module). Now that the BIOS/UEFI code is in the wild and Intel has confirmed it as legitimate, both nefarious actors and security researchers alike will undoubtedly probe it to search for potential backdoors and security vulnerabilities....

Intel hasn't confirmed who leaked the code or where and how it was exfiltrated. However, we do know that the GitHub repository, now taken down but already replicated widely, was created by an apparent LC Future Center employee, a China-based ODM that manufactures laptops for several OEMs, including Lenovo.
Thanks to Slashdot reader Hmmmmmm for sharing the news.

According to the New York Times, former chief security officer of Uber, Joe Sullivan, has been found guilty of hiding a 2016 data breach from authorities and obstructing an investigation by the FTC into the company's security practices. The breach affected more than 57 million Uber riders and drivers. From the report: Mr. Sullivan was deposed by the F.T.C. as it investigated a 2014 breach of Uber's online systems. Ten days after the deposition, he received an email from a hacker who claimed to have found another security vulnerability in its systems. Mr. Sullivan learned that the hacker and an accomplice had downloaded the personal data of about 600,000 Uber drivers and additional personal information associated with 57 million riders and drivers, according to court testimony and documents. The hackers pressured Uber to pay them at least $100,000. Mr. Sullivan's team referred them to Uber's bug bounty program, a way of paying "white hat" researchers to report security vulnerabilities. The program capped payouts at $10,000, according to court testimony and documents. Mr. Sullivan and his team paid the hackers $100,000 and had them sign a nondisclosure agreement.

During his testimony, one of the hackers, Vasile Mereacre, said he was trying to extort money from Uber. Uber did not publicly disclose the incident or inform the F.T.C. until a new chief executive, Dara Khosrowshahi, joined in the company in 2017. The two hackers pleaded guilty to the hack in October 2019. States typically require companies to disclose breaches if hackers download personal data and a certain number of users are affected. There is no federal law requiring companies or executives to reveal breaches to regulators. Federal prosecutors argued that Mr. Sullivan knew that revealing the new hack would extend the F.T.C. investigation and hurt his reputation and that he concealed the hack from the F.T.C. Mr. Sullivan did not reveal the 2016 hack to Uber's general counsel, according to court testimonies and documents. He did discuss the breach with another Uber lawyer, Craig Clark.

Mr. Sullivan did not reveal the 2016 hack to Uber's general counsel, according to court testimonies and documents. He did discuss the breach with another Uber lawyer, Craig Clark. Like Mr. Sullivan, Mr. Clark was fired by Mr. Khosrowshahi after the new Uber chief executive learned about the details of the breach. Mr. Clark was given immunity by federal prosecutors in exchange for testifying against Mr. Sullivan. Mr. Clark testified that Mr. Sullivan told the Uber security team that they needed to keep the breach secret and that Mr. Sullivan changed the nondisclosure agreement signed by the hackers to make it falsely seem that the hack was white-hat research. Mr. Sullivan said he would discuss the breach with Uber's "A Team" of top executives, according to Mr. Clark's testimony. He shared the matter with only one member of the A Team: then chief executive Travis Kalanick. Mr. Kalanick approved the $100,000 payment to the hackers, according to court documents. The case is "believed to be the first time a company executive faced criminal prosecution over a hack," notes the report.

"The way responsibilities are divided up is going to be impacted by this. What's documented is going to be impacted by this The way bug bounty programs are designed is going to be impacted by this," said Chinmayi Sharma, a scholar in residence at the Robert Strauss Center for International Security and Law and a lecturer at the University of Texas at Austin School of Law.

Discovering and reporting critical security flaws that could allow foreign spies to steal sensitive US government data or launch cyberattacks via the Department of Defense's IT systems doesn't carry a high reward. The Register reports: The Pentagon, in its most recent week-long Hack US program conducted with HackerOne, paid out $75,000 in bug bounties and another $35,000 in bonuses and awards to ethical hackers who disclosed critical- and high-severity vulnerabilities in Uncle Sam's networks. [...] According to bug bounty platform HackerOne and the DoD, the Hack US initiative received 648 submissions from 267 security researchers who uncovered 349 security holes. Information disclosure flaws were the most commonly reported vulnerabilities, followed by improper access controls and SQL injection.

The Pentagon didn't say how many bug hunters received rewards, or how much they each earned. However, in announcing the contest earlier this year, it pledged to pay $500 or more for high-severity flaws, $1,000 for critical holes, and as much as $5,000 for specific achievements, such as $3,000 for the best finding for *.army.mil. Meanwhile, Microsoft paid $13.7 million in bug rewards spread out over 335 researchers last year, with a $200,000 Hyper-V Bounty payout as its biggest prize. And Google awarded $8.7 million during 2021. [...] It's also worth noting that the DoD's pilot vulnerability disclosure program, which ended in April, didn't pay any monetary rewards. So at least Hack US, with its paid (albeit measly) bug bounties, is a step up from that. "The most successful bug bounty programs strike an even balance between monetary and social benefits," Google's Eduardo Vela, who leads the Product Security Response Team, told The Register.

"For bug hunters, there must be a monetary incentive to get them to participate -- but, there's also value in creating a space where folks can get together, connect with one another, and hack as a team. Bringing together the top bug hunters requires both -- one without the other is not enough."

An anonymous reader quotes a report from Motherboard: Everyone wants to be able to just zap a bug and have it go away. But now, thanks to a recent development from Ildar Rakhmatulin, a research associate at Heriot-Watt University interested in machine learning and engineering, this dream is now a reality. In the study -- which was conducted last year but published in Oriental Insects last week -- Rakhmatulin and his co-authors used a laser insect control device automated with machine vision to perform a series of experiments on domiciliary cockroaches. They were able to not only detect cockroaches at high accuracy but also neutralize and deter individual insects at a distance up to 1.2 meters. This is a follow-up of sorts to earlier projects, in which he used a Raspberry Pi and lasers to zap mosquitoes. However, for this project, Rakhmatulin used a different kind of computer which allowed for more precision in detecting the bug.

"I started using a Jetson Nano that allowed me to use deep learning technologies with higher accuracy to detect an object," Rakhmatulin explained. The Jetson Nano is a small computer that can run machine learning algorithms. The computer processes a digital signal from two cameras to determine the cockroach's position. It transmits that information to a galvanometer (a machine that measures electric current), which changes the direction of the laser to shoot the target. According to the paper, Rakhmatulin tried this configuration at different power levels for the laser. At a lower power level, he found that he could influence the behavior of roaches by simply triggering their flight response with a laser; this way, they could potentially be trained to not shelter in a particular dark area. At a higher power level, the cockroaches were effectively "neutralized," in the paper's language -- in other words, killed. "I use very cheap hardware and cheap technology and it's open source," Rakhmatulin said. "All sources are uploaded in my GitHub and see how to do it and use it. If it can damage cockroaches, it can also damage other pests in agriculture."

It's not quite ready for household use though. "It's not recommended because it's a little dangerous," Rakhmatulin said. "Lasers can damage not only cockroaches but your eyes."

You can view a video of the device in action here.

Weeks after Twitter's ex-security chief accused the company of cybersecurity mismanagement, Twitter has now informed its users of a bug that didn't close all of a user's active logged-in sessions on Android and iOS after an account's password was reset. From a report: This issue could have implications for those who had reset their password because they believed their Twitter account could be at risk, perhaps because of a lost or stolen device, for instance. Assuming whoever had possession of the device could access its apps, they would have had full access to the impacted user's Twitter account. In a blog post, Twitter explains that it had learned of the bug that had allowed "some" accounts to stay logged in on multiple devices after a user reset their password voluntarily. Typically, when a password reset occurs, the session token that keeps a user logged into the app is also revoked -- but that didn't take place on mobile devices, Twitter says. Web sessions, however, were not impacted and were closed appropriately, it noted.

An anonymous reader quotes a report from the Washington Post: A new estimate for the total number of ants burrowing and buzzing on Earth comes to a whopping total of nearly 20 quadrillion individuals. That staggering sum -- 20,000,000,000,000,000, or 20,000 trillion -- reveals ants' astonishing ubiquity even as scientists grow concerned a possible mass die off of insects could upend ecosystems. In a paper released Monday by the Proceedings of the National Academy of Sciences, a group of scientists from the University of Hong Kong analyzed 489 studies and concluded that the total mass of ants on Earth weighs in at about 12 megatons of dry carbon. Put another way: If all the ants were plucked from the ground and put on a scale, they would outweigh all the wild birds and mammals put together.

"It's unimaginable," said Patrick Schultheiss, a lead author on the study who is now a researcher at the University of Wurzburg in Germany, in a Zoom interview. "We simply cannot imagine 20 quadrillion ants in one pile, for example. It just doesn't work." Counting all those insects -- or at least enough of them to come up with a sound estimate -- involved combining data from "thousands of authors in many different countries" over the span of a century, Schultheiss added. To tally insects as abundant as ants, there are two ways to do it: Get down on the ground to sample leaf litter -- or set tiny pitfall traps (often just a plastic cup) and wait for the ants to slip in. Researchers have gotten their boots dirty with surveys in nearly every corner of the world, though some spots in Africa and Asia lack data. "It's a truly global effort that goes into these numbers," Schultheiss said.

mspohr writes: A major bug in Apple's latest iPhone is causing the camera to physically fail when using apps such as TikTok, Snapchat and Instagram, some owners have reported. The bug in the company's iPhone 14 Pro Max, the most expensive model in the iPhone 14 range, appears to affect the optical image stabilisation (OIS) feature, which uses a motor to eliminate the effects of camera shake when taking pictures. Opening the camera in certain apps causes the OIS motor to go haywire, causing audible grinding sounds and physically vibrating the entire phone. The vibration does not occur when using the built-in camera app, suggesting the problem's roots are in a software fault. However, some have warned affected users to limit their usage of apps that trigger the bug, in case excess vibration causes permanent damage to the OIS system. The company has previously warned users about potential damage to the OIS motor, particularly in situations where their phones are experiencing significant vibration. In January this year, the company published a long warning note for users about the risk of mounting their iPhones near "high-power motorcycle engines."

Uber discovered its computer network had been breached on Thursday, leading the company to take several of its internal communications and engineering systems offline as it investigated the extent of the hack. From a report: The breach appeared to have compromised many of Uber's internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times. "They pretty much have full access to Uber," said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. "This is a total compromise, from what it looks like."

An Uber spokesman said the company was investigating the breach and contacting law enforcement officials. Uber employees were instructed not to use the company's internal messaging service, Slack, and found that other internal systems were inaccessible, said two employees, who were not authorized to speak publicly. Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, "I announce I am a hacker and Uber has suffered a data breach." The message went on to list several internal databases that the hacker claimed had been compromised. BleepingComputers adds: According Curry, the hacker also had access to the company's HackerOne bug bounty program, where they commented on all of the company's bug bounty tickets. Curry told BleepingComputer that he first learned of the breach after the attacker left the above comment on a vulnerability report he submitted to Uber two years ago. Uber runs a HackerOne bug bounty program that allows security researchers to privately disclose vulnerabilities in their systems and apps in exchange for a monetary bug bounty reward. These vulnerability reports are meant to be kept confidential until a fix can be released to prevent attackers from exploiting them in attacks.

Curry further shared that an Uber employee said the threat actor had access to all of the company's private vulnerability submissions on HackerOne. BleepingComputer was also told by a source that the attacker downloaded all vulnerability reports before they lost access to Uber's bug bounty program. This likely includes vulnerability reports that have not been fixed, presenting a severe security risk to Uber. HackerOne has since disabled the Uber bug bounty program, cutting off access to the disclosed vulnerabilities.

VMware engineers have tested the Linux kernel's fix for the Retbleed speculative execution bug, and report it can impact compute performance by a whopping 70 percent. The Register reports: In a post to the Linux Kernel Mailing List titled "Performance Regression in Linux Kernel 5.19", VMware performance engineering staffer Manikandan Jagatheesan reports the virtualization giant's internal testing found that running Linux VMs on the ESXi hypervisor using version 5.19 of the Linux kernel saw compute performance dip by up to 70 percent when using single vCPU, networking fall by 30 percent and storage performance dip by up to 13 percent. Jagatheesan said VMware's testers turned off the Retbleed remediation in version 5.19 of the kernel and ESXi performance returned to levels experienced under version 5.18.

Because speculative execution exists to speed processing, it is no surprise that disabling it impacts performance. A 70 percent decrease in computing performance will, however, have a major impact on application performance that could lead to unacceptable delays for some business processes. VMware's tests were run on Intel Skylake CPUs -- silicon released between 2015 and 2017 that will still be present in many server fleets. Subsequent CPUs addressed the underlying issues that allowed Retbleed and other Spectre-like attacks.

An anonymous reader quotes a report from CNET: In a new study, published Monday in the journal npj Flexible Electronics, an international team of researchers revealed it has engineered a system to remotely control the legs of cockroaches from afar. The system, which is basically a cockroach backpack wired into the creature's nervous system, has a power output about 50 times higher than previous devices and is built with an ultrathin and flexible solar cell that doesn't hinder the roach's movement. Pressing a button sends a shock to the backpack that tricks the roach into moving a certain direction.

Cockroach cyborgs are not a new idea. Back in 2012, researchers at North Carolina State University were experimenting with Madagascar hissing cockroaches and wireless backpacks, showing the critters could be remotely controlled to walk along a track. The way scientists do this is by attaching the backpack and connecting wires to a cockroach's "cerci," two appendages at the end of the abdomen that are basically sensory nerves. One on the left, one on the right. Previous studies have shown electrical impulses to either side can stimulate the roach into moving in that direction, giving researchers some control over locomotion. But to send and receive signals, you need to power the backpack. You might be able to use a battery but, eventually, a battery will run out of power and the cyborg cockroach will be free to disappear into the leaf litter.

The team at Riken crafted the system to be solar-powered and rechargeable. They attached a battery and stimulation module to the cockroach's thorax (the upper segment of its body). That was the first step. The second step was to make sure the solar cell module would adhere to the cockroach's abdomen, the segmented lower section of its body. [T]he Riken team tested a number of thin electronic films, subjecting their roaches to a bunch of experiments and watching how the roaches moved depending on the thickness of the film. This helped them decide on a module about 17 times thinner than a human hair. It adhered to the abdomen without greatly limiting the degree of freedom the roaches had and also stuck around for about a month, greatly outlasting previous systems. "The current system only has a wireless locomotion control system, so it's not enough to prepare an application such as urban rescue," said Kenjiro Fukuda, an expert in flexible electronics at Japan's Riken. "By integrating other required devices such as sensors and cameras, we can use our cyborg insects for such purposes."

Fukuda notes the design of the ultrathin solar cell could be applied to other insects, like beetles and cicadas.

Windows' "Defender" software is supposed to detect malware. But its Microsoft team is now investigating reports that it's mistakenly flagging Electron-based or Chromium-based applications — as malware.

"It's a false positive, and your computer is OK," wites the blog Windows Central: This morning, many people worldwide experienced Microsoft Defender warning them of a recurring virus threat.... People on Reddit are "freaking out" over not just a reported threat from Microsoft Defender but one that keeps popping up and recurring despite the alleged threat being blocked.

The threat is revealed in a pop-up message noting that "Behavior:Win32/Hive.ZY" has been detected and is listed as "severe." However, after taking action to rectify the issue, it does not go away, and the user will keep receiving the same prompt. The reminder may return after 20 seconds, with the cycle repeating endlessly.

This detection appears to be a false positive, according to a Microsoft Support forum... From DaveM121, an Independent Advisor: [I]t is a bug currently being reported by hundreds of people at the moment, it seems to be related to all Chromium based web browsers and Electron based apps like Whatsapp, Discord, Spotify, etc....
Also affected are Google Chrome and even Microsoft Edge, as well as "anything that runs Visual Studio Code," according to the article.

"The problem seems to originate from Defender's Definition/Update Version 1.373.1508.0, meaning Microsoft needs to update that file, and the issue should be resolved."

"There's been a big rise in ransomware attacks targeting Linux," reports ZDNet, "as cyber criminals look to expand their options and exploit an operating system that is often overlooked when businesses think about security." According to analysis by cybersecurity researchers at Trend Micro, Linux servers are "increasingly coming under fire" from ransomware attacks, with detections up by 75% over the course of the last year as cyber criminals look to expand their attacks beyond Windows operating systems.

Linux powers important enterprise IT infrastructure including servers, which makes it an attractive target for ransomware gangs — particularly when a perceived lack of threat to Linux systems compared with Windows means that cybersecurity teams might choose to focus on defending Windows networks against cybercrime. Researchers note that ransomware groups are increasingly tailoring their attacks to focus specifically on Linux systems. For example, LockBit is one of the most prolific and successful ransomware operations of recent times and now offers the option of a Linux-based variant that is designed to target Linux systems and has been used to conduct attacks in the wild....

And it isn't just ransomware groups that are increasingly turning their attentions towards Linux — according to Trend Micro, there's been a 145% increase in Linux-based cryptocurrency-mining malware attacks, where cyber criminals secretly exploit the power of infected computers and servers to mine for cryptocurrency for themselves. One of the ways cyber criminals are compromising Linux systems is by exploiting unpatched vulnerabilities. According to the report, these flaws include CVE-2022-0847 — also known as Dirty Pipe — a bug that affects the Linux kernel from versions 5.8 and up, which attackers can use to escalate their privileges and run code. Researchers warn that this bug is "relatively easy to exploit".
The article recommends installing all security patches as soon as they're available — and implementing multi-factor authentication across your organization.

And yes, it's the real ZDNet. They've just re-designed their web site...

Google has introduced a new vulnerability rewards program to pay researchers who find security flaws in its open-source software or in the building blocks that its software is built on. It'll pay anywhere from $101 to $31,337 for information about bugs in projects like Angular, GoLang, and Fuchsia or for vulnerabilities in the third-party dependencies that are included in those projects' codebases. From a report: While it's important for Google to fix bugs in its own projects (and in the software that it uses to keep track of changes to its code, which the program also covers), perhaps the most interesting part is the bit about third-party dependencies. Programmers often use code from open-source projects so they don't continuously have to reinvent the same wheel. But since developers often directly import that code, as well as any updates to it, that introduces the possibility of supply chain attacks. That's when hackers don't target the code directly controlled by Google itself but go after these third-party dependencies instead.

As SolarWinds showed, this type of attack isn't limited to open-source projects. But in the past few years, we've seen several stories where big companies have had their security put at risk thanks to dependencies. There are ways to mitigate this sort of attack vector -- Google itself has begun vetting and distributing a subset of popular open-source programs, but it's almost impossible to check over all the code a project uses. Incentivizing the community to check through dependencies and first-party code helps Google cast a wider net.