A critical vulnerability that hackers have exploited since August, which allows them to bypass multifactor authentication in Citrix networking hardware, has received a patch from the manufacturer. Unfortunately, applying it isn't enough to protect affected systems. ArsTechnica: The vulnerability, tracked as CVE-2023-4966 and carrying a severity rating of 9.8 out of a possible 10, resides in the NetScaler Application Delivery Controller and NetScaler Gateway, which provide load balancing and single sign-on in enterprise networks, respectively. Stemming from a flaw in a currently unknown function, the information-disclosure vulnerability can be exploited so hackers can intercept encrypted communications passing between devices. The vulnerability can be exploited remotely and with no human action required, even when attackers have no system privileges on a vulnerable system.

Citrix released a patch for the vulnerability last week, along with an advisory that provided few details. On Wednesday, researchers from security firm Mandiant said that the vulnerability has been under active exploitation since August, possibly for espionage against professional services, technology, and government organizations. Mandiant warned that patching the vulnerability wasn't sufficient to lock down affected networks because any sessions hijacked before the security update would persist afterward.

The FCC has unanimously approved plans by several tech companies to use the 6GHz band for wireless devices. From a report: FCC Chair Jessica Rosenworcel proposed the new rules, which would authorize very low power (VLP) operations -- meaning their signals won't be able to go very far -- in about 850MHz of the spectrum, on September 27th. The rules will also allow devices to "use higher power levels" so long as they're geofenced to keep from interfering with actual licensed 6GHz usage, and the FCC will be taking comments on other ways it can expand 6GHz spectrum usage by technology devices.

A September Bloomberg report pointed to some of the kinds of devices the FCC's affirmative vote could open up, including in-car connections, mobile virtual or augmented reality devices, and more. The FCC originally opened up 1,200MHz of the 6GHz spectrum for unlicensed use by Wi-Fi routers and client devices (think smartphones or laptops), giving home networks far more wireless overhead than existing Wi-Fi standards already had. This new approval expands the spectrum for much more general use.

The U.S. FCC voted Thursday to advance a proposal to reinstate landmark net neutrality rules and assume new regulatory oversight of broadband internet that was rescinded under former President Donald Trump. From a report: In a 3-2 party-line vote, the FCC approved Chairwoman Jessica Rosenworcel's Notice of Proposed Rulemaking (NPRM), which seeks public comment on the broadband regulation plan. The comment period will officially open after the proposal is published in the Federal Register, but the docket is already active and can be found here. The proposal would reclassify broadband as a telecommunications service, a designation that allows the FCC to regulate ISPs under the common-carrier provisions in Title II of the Communications Act. The plan is essentially the same as what the FCC did in 2015 when it used Title II to prohibit fixed and mobile Internet providers from blocking or throttling traffic or giving priority to Web services in exchange for payment.

The Obama-era net neutrality rules were eliminated during Trump's presidency when then-Chairman Ajit Pai led a repeal that reclassified broadband as an information service, returning it to the less strict regulatory regime of Title I. The current FCC likely would have acted much sooner but there was a 2-2 deadlock until last month when the Senate confirmed Biden nominee Anna Gomez to fill the empty spot. After the comment period, the FCC is likely to finalize the rulemaking and put the 2015 rules back in place. The broadband industry will likely then sue the FCC in an attempt to nullify the rulemaking.

Reddit is winding down Community Points -- the blockchain-based "internet points" program designed to reward creators and developers -- in favor of prioritizing rewards programs that are less difficult to scale. From a report: "Though we saw some future opportunities for Community Points, the resourcing needed was unfortunately too high to justify," Reddit's director of consumer and product communications Tim Rathschmidt told TechCrunch. "The regulatory environment has since added to that effort. Though the moderators and communities that supported Community Points have been incredible partners -- as it's evolved, the product is no longer set up to scale."

Community Points, which will be phased out by early November, were promoted as a chance for Redditors to "own" a piece of their community. First launched in 2020, Community Points were awarded to users who positively engaged in select subreddits in order to incentivize better content and conversation. The points were essentially interchangeable Ethereum tokens stored in Reddit's Vault, which operated as a cryptocurrency wallet.

Binance has suspended access to its crypto exchange for new users based in the UK, after a partnership with a third party to approve communications on its platform under new local rules was terminated by the country's watchdog. From a report: Any customers based in the UK not already signed up to Binance's platform were no longer able to join the exchange from 5 p.m. in London on Monday, according to a blog post published by Binance. The move puts the world's largest crypto exchange out of reach for new users in the UK, setting the scene for a battle by Binance to return to one of the sector's biggest markets outside of the US.

The UK's financial promotions regime was widened starting on Oct. 8 to include cryptoasset service providers, regardless of their location. All crypto platforms are now required by the regulator to display clear risk warnings to UK-based consumers and meet higher technical standards, with all communications needing to be approved by an FCA-authorized firm. Penalties for not doing so include being added to the FCA's public warning list, as well as unlimited fines and prison time.

Devin Ulibarri, the Free Software Foundation's outreach and communications coordinator, writes up an event he describes as meeting with some old and new friends: On Sunday, October 1, the Free Software Foundation (FSF) hosted a hackday to celebrate the fortieth anniversary of the GNU Project. Folks came from both near and far to join in the festivities at FSF headquarters, Boston, MA... Sadi moma bela loza, the Bulgarian melody from which The Free Software Song is set, could be heard faintly playing in a nearby room, its distinctive odd-metered tune performed by a fully-liberated X200...

All in all, the event succeeded in our goal of welcoming both long-time members as well as introducing new people to free software and our cause. A few college students from local universities, for example, were able to ask questions seeking to better understand free software licenses and GNU Project history. We received multiple requests from attendees to host similar events again in the near future. And one parent, whose son played NetHack at the event, reported that, the following morning, his son asked to go to the FSF office after school to play it again. When playing he mastered the "vi" movement keys immediately. We hope they serve him well...!

Happy hacking and please stay tuned for more FSF-hosted events, including LibrePlanet 2024!

Jessica Lyons Hardcastle reports via The Register: The European Telecommunications Standards Institute (ETSI) may open source the proprietary encryption algorithms used to secure emergency radio communications after a public backlash over security flaws found this summer. "The ETSI Technical Committee in charge of TETRA algorithms is discussing whether to make them public," Claire Boyer, a spokesperson for the European standards body, told The Register. The committee will discuss the issue at its next meeting on October 26, she said, adding: "If the consensus is not reached, it will go to a vote."

TETRA is the Terrestrial Trunked Radio protocol, which is used in Europe, the UK, and other countries to secure radio communications used by government agencies, law enforcement, military and emergency services organizations. In July, a Netherlands security biz uncovered five vulnerabilities in TETRA, two deemed critical, that could allow criminals to decrypt communications, including in real-time, to inject messages, deanonymize users, or set the session key to zero for uplink interception. At the time ETSI downplayed the flaws, which it said had been fixed last October, and noted that "it's not aware of any active exploitation of operational networks."

At the time ETSI downplayed the flaws, which it said had been fixed last October, and noted that "it's not aware of any active exploitation of operational networks." It did, however, face criticism from the security community over its response to the vulnerabilities -- and the proprietary nature of the encryption algorithms, which makes it more difficult for proper pentesting of the emergency network system. "This whole idea of secret encryption algorithms is crazy, old-fashioned stuff," said security author Kim Zetter who first reported the story. "It's very 1960s and 1970s and quaint. If you're not publishing [intentionally] weak algorithms, I don't know why you would keep the algorithms secret."

Scientists have used the gene-editing technology known as CRISPR to create chickens that have some resistance to avian influenza, according to a new study that was published in the journal Nature Communications on Tuesday. From a report: The study suggests that genetic engineering could potentially be one tool for reducing the toll of bird flu, a group of viruses that pose grave dangers to both animals and humans. But the study also highlights the limitations and potential risks of the approach, scientists said. Some breakthrough infections still occurred, especially when gene-edited chickens were exposed to very high doses of the virus, the researchers found. And when the scientists edited just one chicken gene, the virus quickly adapted. The findings suggest that creating flu-resistant chickens will require editing multiple genes and that scientists will need to proceed carefully to avoid driving further evolution of the virus, the study's authors said.

The research is "proof of concept that we can move toward making chickens resistant to the virus," Wendy Barclay, a virologist at Imperial College London and an author of the study, said at a news briefing. "But we're not there yet." Some scientists who were not involved in the research had a different takeaway. "It's an excellent study," said Dr. Carol Cardona, an expert on bird flu and avian health at the University of Minnesota. But to Dr. Cardona, the results illustrate how difficult it will be to engineer a chicken that can stay a step ahead of the flu, a virus known for its ability to evolve swiftly. "There's no such thing as an easy button for influenza," Dr. Cardona said. "It replicates quickly, and it adapts quickly."

An anonymous reader quotes a report from Ars Technica: Facebook may have to overhaul its entire ad-targeting system after a California court ruled (PDF) last month that the platform's practice of routinely targeting ads by age, gender, and other protected categories violates a state anti-discrimination law. The decision came after a 48-year-old Facebook user, Samantha Liapes, fought for years to prove that Facebook had discriminated against her as an older woman using the platform's ad-targeting system to shop for life insurance policies.

Liapes filed a class-action lawsuit against Facebook in 2020. In her complaint, Liapes alleged that "Facebook requires all advertisers to choose the age and gender of its users who will receive ads, and companies offering insurance products routinely tell it to not send their ads to women or older people." Further, she alleged that Facebook's ad-delivery algorithm magnifies the problem by using these required inputs to serve the ads to "lookalike audiences." Through its algorithm, Liapes alleged that she found that Facebook "discriminates against women and older people," by intentionally excluding them from seeing certain life insurance ads. This, Liapes alleged, caused harm by preventing her from signing up for deals that "often change and may expire" -- deals which she said were disproportionately being advertised on Facebook to younger and/or male audiences. As evidence, Liapes pointed to ads that Facebook did not serve to her -- allegedly because advertisers used the platform's Audience Selection and Lookalike Audience tools to exclude her -- as an older woman [...]. "As a result, she had a harder time learning about those products or services," Liapes' complaint alleged. [...]

Initially, a court agreed with Facebook's arguments that Liapes had not provided sufficient evidence establishing Facebook's intent or demonstrating harms caused, but rather than amend her complaint, Liapes appealed. Then, in what tech law expert Eric Goldman on his blog called a "shocking conclusion," a California court last month reversed that initial decision, finding instead that Facebook's ad-targeting tools are not neutral, discriminate against users by age and gender, and are not immune under Section 230 of the Communications Decency Act. Goldman -- who joked that Liapes wanting more Facebook ads is "a desire shared by almost no one" -- said that the potential impact of this ruling goes beyond possibly shaking up Facebook's ad system. It also seemingly implicates every other ad network by finding that "any gender- or age-based ad targeting for any product or service (and targeting based on any other protected characteristics) could violate the Unruh Act." If the ruling is upheld, that could "have devastating effects on the entire Internet ecosystem," Goldman warned. "The court's single-minded determination to find a valid discrimination claim under these conditions casts a long and troubling shadow over the online advertising industry," Goldman wrote in his blog. "Who needs new privacy laws if the Unruh Act already bans most ad targeting?"

"The opinion never expressly says that the Unruh Act regulates ad targeting," Goldman told Ars. "It takes some reading between the lines to reach that conclusion."

Climate breakdown is already changing the taste and quality of beer, scientists have warned. From a report: The quantity and quality of hops, a key ingredient in most beers, is being affected by global heating, according to a study. As a result, beer may become more expensive and manufacturers will have to adapt their brewing methods. Researchers forecast that hop yields in European growing regions will fall by 4-18% by 2050 if farmers do not adapt to hotter and drier weather, while the content of alpha acids in the hops, which gives beers their distinctive taste and smell, will fall by 20-31%.

"Beer drinkers will definitely see the climate change, either in the price tag or the quality," said Miroslav Trnka, a scientist at the Global Change Research Institute of the Czech Academy of Sciences and co-author of the study, published in the journal Nature Communications. "That seems to be inevitable from our data." Beer, the third-most popular drink in the world after water and tea, is made by fermenting malted grains like barley with yeast. It is usually flavoured with aromatic hops grown mostly in the middle latitudes that are sensitive to changes in light, heat and water. Climate-induced decline in the quality and quantity of European hops calls for immediate adaptation measures (Nature).

As the FCC leans towards reinstating net neutrality and regulating ISPs under Title II, the broadband sector is set to challenge the move. Previously, courts have upheld FCC's decisions. However, legal experts believe the Supreme Court's current stance may hinder the FCC's authority to classify broadband as a telecommunications service. ArsTechnica: The major question here is whether the FCC has authority to decide that broadband is a telecommunications service, which is important because only telecommunications services can be regulated under Title II's common-carrier framework. "A Commission decision reclassifying broadband as a Title II telecommunications service will not survive a Supreme Court encounter with the major questions doctrine. It would be folly for the Commission and Congress to assume otherwise," two former Obama administration solicitors general, Donald Verrilli, Jr. and Ian Heath Gershengorn, argued in a white paper last month. According to Verrilli and Gershengorn, "There is every reason to think that a majority of the Supreme Court" would vote against the FCC.

Verrilli and Gershengorn express their view with a striking level of certainty given how difficult it usually is to predict a Supreme Court outcome -- particularly in a case like this, where the agency decision isn't even finalized. While litigation in lower courts is to be expected, it's not even clear that the Supreme Court will take up the case at all. The certainty expressed by Verrilli and Gershengorn is less surprising when you consider that their white paper was funded by USTelecom and NCTA -- The Internet & Television Association, two broadband industry trade groups that sued the Obama-era FCC in a failed attempt to overturn the net neutrality rules. The groups -- which represent firms like AT&T, Verizon, Comcast, and Charter -- eventually got their way when then-FCC Chairman Ajit Pai led a repeal of the rules in 2017. But the industry-funded white paper has gotten plenty of attention, and the FCC is keenly aware of the so-called "major questions doctrine" that it describes. The FCC's Notice of Proposed Rulemaking (NPRM), which is pending a commission vote, will seek public comment on how the major questions doctrine might affect Title II regulation and net neutrality rules that would prohibit blocking, throttling, and paid prioritization.

Amazon has launched its first two satellites for its Project Kuiper, the tech giant's initiative to build a massive constellation of satellites that can provide internet coverage to Earth. From a report: An Atlas V rocket, operated by United Launch Alliance, lofted the pair of satellites en route to orbit from Florida at 2:06 p.m. local time Friday. The mission is still ongoing, and it's unclear when the satellites will be deployed from the rocket.

Project Kuiper's goal is to eventually put 3,326 satellites into low Earth orbit, where they will beam broadband internet service to the ground below, similar to Elon Musk's SpaceX Starlink. The two launched Friday, KuiperSat-1 and KuiperSat-2, are test satellites that will allow Amazon to demonstrate the ability to send and receive broadband signals. This mission has been long delayed. Amazon originally hoped to launch these satellites a year ago on a different, experimental rocket. However, the company wound up switching the launch vehicle for these satellites multiple times, eventually landing on ULA's workhorse Atlas V rocket, in order to get the satellites into space more quickly.

South Korea's telecommunications regulator said on Friday that Alphabet's Google and Apple have abused their dominant app market position and warned of possible fines totalling up to $50.5 million. From a report: The Korea Communications Commission (KCC) said in a statement that the two tech giants forced app developers into specific payment methods and caused unfair delay in app review. The KCC is notifying the companies for corrective action, and will deliberate on the fines, the statement said. "What KCC has shared today is the pre-notice and we will carefully review and submit our response. Once the final written decision is shared with us we will carefully review to evaluate the next course of action," Google said in a statement to Reuters. Apple also issued a statement, saying: "We disagree with the conclusions made by the KCC in their Examiner's Report, and believe the changes we have implemented to the App Store comply with the Telecommunications Business Act. As we have always done, we will continue to engage with the KCC to share our views."

The Biden administration has urged the FCC to adopt strong rules to redress historic shortfalls that have left some communities lacking adequate broadband service. From a report: The position sets up a possible clash with large broadband providers that have warned the FCC, which is set to produce rules by next month, against unnecessary regulations. Clear rules are needed to close the digital divide that leaves millions without adequate broadband, the National Telecommunications and Information Administration said in a statement. The Commerce Department unit advises the president and develops internet policy. "Strong rules are needed to remedy unequal access to internet service, no matter what the cause may be," said Alan Davidson, the assistant secretary of commerce for communications and information, who is also the NTIA's top official. "Rules that combat digital discrimination will bring lasting relief to vulnerable communities that historically have been left behind online."

The FCC is considering regulations to prevent and eliminate digital discrimination of access based on income level, race and other factors, according to Chairwoman Jessica Rosenworcel. Broadband advocates have told the agency they want deep changes that will steer spending into cities. Some urban neighborhoods have suffered from disinvestment dating back to redlining decades ago, when government-aided discriminatory lending patterns starved neighborhoods of housing resources. Many of those areas still aren't prosperous, and haven't seen network upgrades.

Becky Ferreira writes via the New York Times: Last November, a satellite in low-Earth orbit unfurled into an expansive array that extends across nearly 700 square feet, about the size of a studio apartment. The satellite, BlueWalker 3, has since become one of the brightest objects in the sky, outshining some of the most radiant stars in the Milky Way, according to a study published on Monday in Nature -- and it is just the first of dozens of similar satellites that are in development by AST SpaceMobile, a company that aims to keep smartphones connected from orbit. "The issue is not necessarily that one satellite," said Siegfried Eggl, an astrophysicist at the University of Illinois, Urbana-Champaign and an author of the new study, "but that it is a predecessor or prototype of a constellation, so there's going to be a lot of those out there eventually."

Initially launched in September 2022, BlueWalker 3 is the forerunner of AST SpaceMobile's BlueBird satellites, which aim to serve as a network of orbital cell towers with the goal "to democratize access to knowledge and information regardless of where people live and work," a spokesperson for AST SpaceMobile said. Last month, BlueWalker 3 successfully relayed its first 5G connection to a smartphone in a cellular coverage gap on Earth. AST SpaceMobile is one of many companies racing to capture the surging demand for global broadband connectivity. "At the moment, there are 18 constellations that we know are planned all over the world," Dr. Eggl said. "The total number of satellites is a stunning half a million that people are planning to put up there. This is 100 times more than we already have."

AST SpaceMobile made BlueWalker 3's array so large in order to beam strong cellular coverage directly to phones on Earth. The satellite is made of many small antennas that can connect existing smartphones, which is an approach that distinguishes the company from Starlink and other planned constellations that currently rely on ground antennas or dishes. [...] AST SpaceMobile said that it was working with astronomers on techniques to reduce disruptions. It also contrasted the number in its constellation with the tens of thousands planned by other companies. The spokesperson said it could "provide substantial global coverage with around 90 satellites." Though BlueBird satellites would be far fewer in number, they are at least 64 times as big and bright as a Starlink satellite. The SpaceX orbiters are also brightest in the days after their deployment, but they become much fainter once they settle into their target orbits. Astronomers expect that the BlueBird satellites will remain bright in the sky throughout most of their lifetime. As a consequence, one of these satellites could interfere with data captured by astronomical observatories.

Russia's communications watchdog plans to block VPNs from March 1 next year, a Russian senator for the ruling United Russia party said on Tuesday. From a report: Demand for VPN services soared after Russia restricted access to some Western social media after President Vladimir Putin ordered troops into Ukraine in February 2022. Senator Artem Sheikin said an order from the Roskomnadzor watchdog would come into force on March 1 that would block VPNs. "From March 1, 2024, an order will come into force to block VPN services providing access to sites banned in Russia," Sheikin was quoted as saying by state news agency RIA.

An anonymous reader quotes a report from CBS News: Your electronic devices may alarm you on Wednesday afternoon — but there's a reason for that. A nationwide test of the federal emergency alert system will be broadcast at approximately 2:20 p.m. EDT to cellphones, televisions and radios across the United States at around the same time. Most Americans with wireless cellular devices will receive an emergency alert message, as will most whose televisions or radios are on when the test occurs.

The Federal Emergency Management Agency will conduct Wednesday's test in coordination with the Federal Communications Commission. Emergency alert messages that make up the test are divided into two groups -- the Emergency Alert System (EAS) for radios and televisions, and the Wireless Emergency Alerts (WEA) for wireless phones -- although both are scheduled to happen at once. Wednesday will mark the seventh nationwide test of the Emergency Alert System. Six previous tests were conducted over the years between November 2011 and August 2021. This will be the third nationwide test of wireless alerts, and the second nationwide test transmitted to all cellphones, FEMA said in a statement. As the wireless alert tests are sent out to phones, the Emergency Alert System tests will be sent out to televisions and radios.

People can elect not to receive certain emergency alert messages to their cellphones from local authorities, or in some instances, simply decide whether to subscribe or not to a specific set of emergency alerts put out by a particular agency. On the other hand, it is not possible to opt out of the upcoming test of the national wireless alert system. All major wireless providers participate in FEMA's wireless alert system. So, most people whose cellphones are turned on and located within range of an active cell tower during the test should receive a message, the agency said (PDF).

Todd Shields and Loren Grush reporting via Bloomberg: Dish Network Corp. was fined $150,000 by US regulators for leaving a retired satellite parked in the wrong place in space, reflecting official concern over the growing amount of debris orbiting Earth and the potential for mishaps. The Federal Communications Commission called the action its first to enforce safeguards against orbital debris. "This is a breakthrough settlement, making very clear the FCC has strong enforcement authority and capability to enforce its vitally important space debris rules," Loyaan A. Egal, the agency's enforcement bureau chief, said in a statement.

Dish's EchoStar-7 satellite, which relayed pay-TV signals, ran short of fuel, and the company retired it at an altitude roughly 76 miles (122 kilometers) above its operational orbit. It was supposed to have been parked 186 miles above its operational orbit, the FCC said in an order (PDF). The company admitted it failed to park EchoStar-7 as authorized. It agreed to implement a compliance plan and pay a $150,000 civil penalty, the FCC said.

A Kenyan parliamentary panel called on the country's information technology regulator on Monday to shut down the operations of cryptocurrency project Worldcoin within the country until more stringent regulations are put in place. From a report: The government suspended the project in early August following privacy objections over its scanning of users' irises in exchange for a digital ID to create a new "identity and financial network". Worldcoin was rolled out in various countries around the world by Tools for Humanity, a company co-founded by OpenAI CEO Sam Altman. It has also come under scrutiny in Britain, Germany and France. The project still has a virtual presence in Kenya and can be accessed via the Internet, even after the August suspension. The regulatory Communications Authority of Kenya should "disable the virtual platforms of Tools for Humanity Corp and Tools for Humanity GmbH Germany (Worldcoin) including blacklisting the IP addresses of related websites," the ad hoc panel of 18 lawmakers said in a report.

America's Department of Justice "has finally posted what judge Amit Mehta described at the Google search antitrust trial as an 'embarrassing' exhibit that Google tried to hide from the public," reports Ars Technica: The document in question contains meeting notes that Google's vice president for finance, Michael Roszak, "created for a course on communications," Bloomberg reported. In his notes, Roszak wrote that Google's search advertising "is one of the world's greatest business models ever created" with economics that only certain "illicit businesses" selling "cigarettes or drugs" "could rival."

At trial, Roszak told the court that he didn't recall if he ever gave the presentation. He said that the course required that he tell students "things I don't believe as part of the presentation." He also claimed that the notes were "full of hyperbole and exaggeration" and did not reflect his true beliefs, "because there was no business purpose associated with it." According to Bloomberg, Google repeatedly objected to the document being shared in court, claiming it was irrelevant to the DOJ's case. Then, after Mehta allowed the DOJ to present the document as evidence, Google tried to seal off Roszak's testimony on the document...

Beyond likening Google's search advertising business to illicit drug markets, Roszak's notes also said that because users got hooked on Google's search engine, Google was able to "mostly ignore the demand side" of "fundamental laws of economics" and "only focus on the supply side of advertisers, ad formats, and sales." This was likely the bit that actually interested the DOJ. "We could essentially tear the economics textbook in half," Roszak's notes said. Part of the DOJ's case argues that because Google has a monopoly over search, it's less incentivized to innovate products that protect consumers from harm like invasive data collection.

A Google spokesman told Bloomberg that Roszak's statements "don't reflect the company's opinion" and "were drafted for a public speaking class in which the instructions were to say something hyperbolic and attention-grabbing." The spokesman also noted that Roszak "testified he didn't believe the statements to be true."