News

Google has cut code migration time in half by deploying AI tools to assist with large-scale software updates, according to a new research paper from the company's engineers. The tech giant used large language models to help convert 32-bit IDs to 64-bit across its 500-million-line codebase, upgrade testing libraries, and replace time-handling frameworks. While 80% of code changes were AI-generated, human engineers still needed to verify and sometimes correct the AI's output. In one project, the system helped migrate 5,359 files and modify 149,000 lines of code in three months.

Read more of this story at Slashdot.

Microsoft has patched a Windows vulnerability that allowed attackers to bypass Secure Boot, a critical defense against firmware infections, the company said. The flaw, tracked as CVE-2024-7344, affected Windows devices for at least seven months. Security researcher Martin Smolar discovered the vulnerability in a signed UEFI application within system recovery software from seven vendors, including Howyar. The application, reloader.efi, circumvented standard security checks through a custom PE loader. Administrative attackers could exploit the vulnerability to install malicious firmware that persists even after disk reformatting. Microsoft revoked the application's digital signature, though the vulnerability's impact on Linux systems remains unclear.

Read more of this story at Slashdot.

Nvidia has dedicated a supercomputer running thousands of its latest GPUs exclusively to improving its DLSS upscaling technology for the past six years, a company executive revealed at CES 2025. Speaking at the RTX Blackwell Editor's Day in Las Vegas, Brian Catanzaro, Nvidia's VP of applied deep learning research, said the system operates continuously to analyze failures and retrain models across hundreds of games.

Read more of this story at Slashdot.

U.S. President Joe Biden has issued a comprehensive cybersecurity executive order, four days before leaving office, mandating improvements to government network monitoring, software procurement, AI usage, and foreign hacker penalties. The 40-page directive aims to leverage AI's security benefits, implement digital identities for citizens, and address vulnerabilities that have allowed Chinese and Russian intrusions into U.S. government systems. It requires software vendors to prove secure development practices and gives the Commerce Department eight months to establish mandatory cybersecurity standards for government contractors.

Read more of this story at Slashdot.

Nintendo's top intellectual property lawyer has acknowledged that video game emulators are technically legal, even as the company continues to shut down popular emulation projects worldwide. Speaking at the Tokyo eSports Festa, Koji Nishiura, deputy general manager of Nintendo's intellectual property department, said emulators violate the law only when they bypass encryption, copy copyrighted console programs, or direct users to pirated material. The statement comes after Nintendo forced the closure of several major emulation projects last year, including Yuzu, Citra, and Ryujinx.

Read more of this story at Slashdot.

Raw drinking water sources across England are polluted with toxic forever chemicals, new analysis has revealed, prompting the water sector to demand that ministers ban the substances and polluters pay for the astronomical cleanup costs. The Guardian: The areas covered by Affinity Water and Anglian Water were found to be particularly badly affected, and experts have said they fear "we are drastically underestimating the size of the problem." There are more than 10,000 PFAS in use, known as forever chemicals because they do not break down in the environment. [...] In an unprecedented move, the industry body Water UK has said it "wants to see PFAS banned and the development of a national plan to remove it from the environment which should be paid for by manufacturers." It described PFAS pollution as a "huge global challenge" and said: "The UK's tap water is rated as the safest in the world, and companies are already taking action to reduce PFAS levels further." In an attempt to tackle the problem, the EU is considering a proposal to regulate all 10,000 or so PFAS together, but the PFAS industry is lobbying against it and the UK has no plans to follow suit.

Read more of this story at Slashdot.

Replit, an AI coding startup platform, has made a dramatic pivot away from professional programmers in a fundamental shift in how software may be created in the future. "We don't care about professional coders anymore," CEO Amjad Masad told Semafor, as the company refocuses on helping non-developers build software using AI. The strategic shift follows the September launch of Replit's "Agent" tool, which can create working applications from simple text commands. The tool, powered by Anthropic's Claude 3.5 Sonnet AI model, has driven a five-fold revenue increase in six months. The move marks a significant departure for Replit, which built its business providing online coding tools for software developers. The company is now betting that AI will make traditional programming skills less crucial, allowing non-technical users to create software through natural language instructions.

Read more of this story at Slashdot.

Nintendo announced on Thursday it will unveil its next-generation Switch 2 gaming console at a digital event on April 2, marking the end of its nearly eight-year-old flagship model. The Japanese gaming giant revealed in a two-minute video that the new device maintains a similar hybrid design to the original Switch but is larger, with redesigned controllers that attach magnetically.

Read more of this story at Slashdot.

Several problems have been addressed in Tomcat 10, a Java based web server, servlet and JSP engine which may lead to a denial-of-service.

CVE-2024-38286

Apache Tomcat, under certain configurations, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

CVE-2024-52316

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.

CVE-2024-50379 / CVE-2024-56337

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). Some users may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat.

https://security-tracker.debian.org/tracker/DSA-5845-1

An anonymous reader quotes a report from TechCrunch: On Tuesday, the United Nations Security Council held a meeting to discuss the dangers of commercial spyware, which marks the first time this type of software -- also known as government or mercenary spyware -- has been discussed at the Security Council. The goal of the meeting, according to the U.S. Mission to the UN, was to "address the implications of the proliferation and misuse of commercial spyware for the maintenance of international peace and security." The United States and 15 other countries called for the meeting. While the meeting was mostly informal and didn't end with any concrete proposals, most of the countries involved, including France, South Korea, and the United Kingdom, agreed that governments should take action to control the proliferation and abuse of commercial spyware. Russia and China, on the other hand, dismissed the concerns. John Scott-Railton, a senior researcher at The Citizen Lab, a human rights organization that has investigated spyware abuses since 2012, gave testimony in which he sounded the alarm on the proliferation of spyware made by "a secretive global ecosystem of developers, brokers, middlemen, and boutique firms," which "is threatening international peace and security as well as human rights." Scott-Railton called Europe "an epicenter of spyware abuses" and a fertile ground for spyware companies, referencing a recent TechCrunch investigation that showed Barcelona has become a hub for spyware companies in the last few years. Representatives of Poland and Greece, countries that had their own spyware scandals involving software made by NSO Group and Intellexa, respectively, also intervened. Poland's representative pointed at local legislative efforts to put "more control, including by the judiciary, on the relevant operational activities of the security and intelligence services," while also recognizing that spyware can be used in a legal way. "We are not saying that the use of spyware is never justified or even required," said Poland's representative. And the Greek representative pointed to the country's 2022 bill to ban the sale of spyware.

Read more of this story at Slashdot.

A pastor in Pasco, Washington, has been indicted on 26 counts of fraud for orchestrating a cryptocurrency scam that defrauded over 1,500 investors of nearly $5.9 million between 2021 and 2023. Many of the investors were members of his congregation. BleepingComputer reports: The US Department of Justice says the pastor, Francier Obando Pinillo, 51, used his position to recruit investors into a fraudulent cryptocurrency venture called "Solano Fi," which he told them "came to him in a dream" and was a guaranteed investment. "Pinillo used his position as pastor to induce members of his congregation and others to invest their money in a cryptocurrency investment business known as Solano Fi," reads the US Department of Justice announcement. "Pinillo claimed the idea for Solano Fi had come to him in a dream and that it was a safe and guaranteed investment." The pastor also set up a Facebook page for Solano Fi to attract more investors outside his direct sphere of influence, as well as a Telegram group named 'Multimillionarios SolanoFi,' which had 1,500 members. The indictment alleged that Pinillo promised investors they would receive guaranteed monthly investment returns of 34.9% at no risk whatsoever. The indictment further claims he directed the victims to make cryptocurrency transfers to wallets under his control, and instead of investing the funds, he diverted them for personal use. Investors were provided access to a Solano Fi web app where they could manage their funds; however, the app showed fake balances and investment returns. Those convinced by the fraud were encouraged to recruit more investors for additional returns, expanding the victims' circle. As in similar scams, when the victims attempted to withdraw money from the Solano Fi app, the transaction failed.

Read more of this story at Slashdot.

Sweden has begun constructing a long-term storage facility for spent nuclear fuel in Forsmark, making it only the second country after Finland to build such a site. It is not expected to be completed until the 2080s, but once finished, it will securely house radioactive waste for up to 100,000 years. Reuters reports: The Forsmark final repository, about 150 kilometers north of Stockholm on Sweden's east coast, will consist of 60 km of tunnels buried 500 meters down in 1.9 billion year old bedrock. It will be the final home for 12,000 tons of spent nuclear fuel, encased in 5 meter long, corrosion-resistent copper capsules that will be packed in clay and buried. The facility will take its first waste in the late 2030s but will not be completed until around 2080 when the tunnels will be backfilled and closed, Sweden's Nuclear Fuel and Waste Management Company (SKB) said. [...] The Forsmark repository will cost around 12 billion crowns($1.08 billion) and be paid for by the nuclear industry, SKB said. It will have room to hold all the waste produced by Sweden's nuclear power plants. However, it will not hold fuel from future reactors. Sweden plans to build 10 more reactors by 2045.

Read more of this story at Slashdot.

An anonymous reader quotes a report from VentureBeat: Colossal BioSciences has raised $200 million in a new round of funding to bring back extinct species like the woolly mammoth. Dallas- and Boston-based Colossal is making strides in the scientific breakthroughs toward "de-extinction," or bringing back extinct species like the woolly mammoth, thylacine and the dodo. [...] Since launching in September 2021, Colossal has raised $435 million in total funding. This latest round of capital places the company at a $10.2 billion valuation. Colossal will leverage this latest infusion of capital to continue to advance its genetic engineering technologies while pioneering new revolutionary software, wetware and hardware solutions, which have applications beyond de-extinction including species preservation and human healthcare. "Our recent successes in creating the technologies necessary for our end-to-end de-extinction toolkit have been met with enthusiasm by the investor community. TWG Global and our other partners have been bullish in their desire to help us scale as quickly and efficiently as possible," said CEO Colossal Ben Lamm, in a statement. "This funding will grow our team, support new technology development, expand our de-extinction species list, while continuing to allow us to carry forth our mission to make extinction a thing of the past." Here's a summary of the startup's progress on its efforts to bring back the woolly mammoth, thylacine and the dodo: Woolly Mammoth De-extinction Progress - Generated chromosome-scale reference genomes for elephants and the first de novo assembled mammoth genome - Acquired and aligned 60+ ancient mammoth genomes and 30+ genomes of extant elephant species, improving mammoth-specific variant accuracy - Derived pluripotent stem cells for Asian elephants, advancing reproductive technologies essential for de-extinction Thylacine De-extinction Progress - Created a 99.9% complete ancient genome for the thylacine using long-read and RNA sequencing - Assembled telomere-to-telomere genomes of dasyurid species to understand evolutionary relationships and support conservation of marsupials - Progress in genomics and reproductive technologies positions Colossal ahead of schedule on critical de-extinction steps Dodo De-extinction Progress - Completed high-coverage genomes for the dodo, its relatives, and the critically endangered manumea - Developed tools for avian genome engineering, including techniques for craniofacial gene-editing and primordial germ cell cultivation - Significant advances in avian-specific genetic techniques are driving progress toward dodo restoration and bird conservation

Read more of this story at Slashdot.

The FTC is issuing refunds for 6,764 customers who purchased Razer's Zephyr face mask, which falsely advertised as meeting N95 standards. GameSpot reports: In May 2024, the FTC announced that a settlement was reached with Razer for more than $1 million. The fine occurred because Razer claimed its face mask met N95 requirements, even though it was never submitted for certification to test whether it removed 95% of airborne particles, per the FTC. In the middle of the COVID-19 pandemic, Razer revealed the N95 face mask with RGB lighting and voice amplification at CES in January 2021. The Razer Zephyr face mask eventually launched in October 2021 for $100. However, just months later in January 2022, Razer removed the N95 claims about the face mask. At the time of the settlement with the FTC, Razer stated that it disagreed with the agency's allegations and didn't "admit to any wrongdoing." Meanwhile, the FTC says checks must be cashed within 90 days for the Zephyr face mask refunds, while PayPal payments need to be redeemed within 30 days.

Read more of this story at Slashdot.

Roseltorg, Russia's main electronic trading platform for government and corporate procurement, confirmed it was targeted by a cyberattack claimed by the pro-Ukraine hacker group Yellow Drift. The group allegedly deleted 550 terabytes of data, causing significant operational delays and client concerns. The Record reports: The company initially confirmed last Thursday that its services had been temporarily suspended, without providing further details. In a recent Telegram statement, Roseltorg disclosed that it had been targeted by "an external attempt to destroy data and the entire infrastructure of electronic trading." Roseltorg stated that all data and infrastructure affected by the recent attack had been fully restored, and trading systems are expected to resume operations shortly. However, as of the time of writing, the company's website remains offline. Last week, the previously unknown pro-Ukraine hacker group Yellow Drift claimed responsibility for the attack on Roseltorg, stating they had deleted 550 terabytes of data, including emails and backups. As proof, the hackers published screenshots from the platform's allegedly compromised infrastructure on their Telegram channel. "If you support tyranny and sponsor wars, be prepared to return to the Stone Age," the hackers said. The cyberattack on Roseltorg is already impacting clients who rely on the platform's operations, including government agencies, state-owned companies and suppliers. Following the company's announcement, many clients expressed concerns in the comments section, complaining about potential financial losses and delays in the procurement process. Roseltorg said in a statement that once access to the trading systems is reinstated, all deadlines for procedures, including contract signings, will be automatically extended without requiring any requests from users.

Read more of this story at Slashdot.

Diamond Comic Distributors, the world's biggest English language comic book distributor, is filing for bankruptcy and scaling its business back in order to survive. The Verge reports: In a letter sent to comics retailers and publishers today, Diamond president Chuck Parker announced that the company has filed for Chapter 11 Bankruptcy and plans to sell off its Alliance Game Distributors arm to Universal in order to "protect the most vital aspects of our business." Founded in 1982 by Stephen A. Geppi (who still serves as CEO), Diamond became a heavyweight in the comics business by securing a number of exclusive distribution agreements with various publishing houses like DC, Marvel, and Image. For decades, Diamond -- which also publishes its Previews magazine showcasing upcoming titles -- was instrumental in bringing comics to market and played a huge role in determining a book's success because of how Previews influenced retailer orders. "This decision was not made lightly, and I understand that this news may be as difficult to hear as it is for me to share," Parker said. "The Diamond leadership team and I have worked tirelessly to avoid this outcome but the financial challenges we face have left us with no other viable option."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Lots of startups use Google's productivity suite, known as Workspace, to handle email, documents, and other back-office matters. Relatedly, lots of business-minded webapps use Google's OAuth, i.e. "Sign in with Google." It's a low-friction feedback loop -- up until the startup fails, the domain goes up for sale, and somebody forgot to close down all the Google stuff. Dylan Ayrey, of Truffle Security Co., suggests in a report that this problem is more serious than anyone, especially Google, is acknowledging. Many startups make the critical mistake of not properly closing their accounts -- on both Google and other web-based apps -- before letting their domains expire. Given the number of people working for tech startups (6 million), the failure rate of said startups (90 percent), their usage of Google Workspaces (50 percent, all by Ayrey's numbers), and the speed at which startups tend to fall apart, there are a lot of Google-auth-connected domains up for sale at any time. That would not be an inherent problem, except that, as Ayrey shows, buying a domain allows you to re-activate the Google accounts for former employees if the site's Google account still exists. With admin access to those accounts, you can get into many of the services they used Google's OAuth to log into, like Slack, ChatGPT, Zoom, and HR systems. Ayrey writes that he bought a defunct startup domain and got access to each of those through Google account sign-ins. He ended up with tax documents, job interview details, and direct messages, among other sensitive materials. A Google spokesperson said in a statement: "We appreciate Dylan Ayrey's help identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of turning down their operation. As a best practice, we recommend customers properly close out domains following these instructions to make this type of issue impossible. Additionally, we encourage third-party apps to follow best-practices by using the unique account identifiers (sub) to mitigate this risk."

Read more of this story at Slashdot.

GOG.com, a European digital distribution platform known for offering DRM-free video games, announced they've joined the European Federation of Game Archives, Museums and Preservation Projects (EFGAMP). From the release: "GOG was created with video game preservation in mind," said Maciej Golebiewski, Managing Director at GOG. "Classic games and the mission to safeguard them for future generations have always been at the core of our work. Over the past decade, we've honed our expertise in this area. The GOG Preservation Program, which ensures compatibility for over 100 games and delivers hundreds of enhancements, is just one example of this commitment. We were thrilled to see the Program warmly received not only by our players but also by our partners and the gaming industry as a whole." Golebiewski further explained that GOG's role in preservation extends beyond its platform. He highlighted, "As a European company, we feel a responsibility to lead in preserving gaming heritage. Joining EFGAMP reinforces this commitment. Our next step is to expand institutional collaboration with museums and governmental and non-governmental organizations worldwide. We hope our experience will contribute meaningfully to their efforts. We are also discussing exciting new game preservation projects, which we look forward to sharing soon."

Read more of this story at Slashdot.

Independent developer Sebastian Vogelsang is building a photo-sharing app for the decentralized social network Bluesky, leveraging its AT Protocol and his earlier app, Skeets. The app, called Flashes, will offer features like photo and short video posts while integrating seamlessly with Bluesky. TechCrunch reports: When launched, Flashes could tap into growing consumer demand for alternatives to Big Tech's social media monopoly. [...] To make this work, Flashes simply filters Bluesky's existing timeline for posts with photos and video posts. (In the future, Vogelsang also plans to add metadata to Flashes' posts so Bluesky users would have a way to keep their feeds on Bluesky's main app from being flooded with photo posts if that became a problem.) Flashes didn't take too long to build because it was able to reuse Skeets' existing code. The app will also be able to market to Skeets' existing user base, who have now downloaded the app some 30,500 times to date. Vogelsang says he's now working to integrate subscription-based features from both his apps so users don't have to pay twice for the premium features, like Skeets' bookmarks, drafts, muting, rich push notifications, and others specific to Flashes. (Both apps are free to use without a subscription, we should note.) Later, Vogelsang says he wants to launch a video-only app, too, called Blue Screen. At launch, Flashes will support photo posts of up to four images and videos of up to 1 minute in length, just like Bluesky. Users who post to Flashes will also have their posts appear on Bluesky and comments on those posts will also feed back into the app as if it were just another Bluesky client. It will also support Bluesky's direct messages. The developer expects to be able to launch Flashes to the public in a matter of weeks with a TestFlight beta arriving ahead of that. Interested users can follow Flashes' account on Bluesky for further updates. Flashes could satiate the growing demand for alternatives to Big Tech's social media monopoly, especially after Meta CEO Mark Zuckerberg announced that he will end fact-checking on its platforms.

Read more of this story at Slashdot.

An anonymous reader quotes a report from TorrentFreak: In 'piracy' associated circles, Z-Library has one of the most followed Telegram channels of all. The shadow library's official channel amassed over 630,000 subscribers over the years, who were among the first to read site announcements and other key updates. Z-Library previously had some of its messages removed due to copyright infringement. While it didn't upload or directly link to infringing material on Telegram, rightsholders allegedly complained about the links that were posted to the Z-Library website. In response, Z-Library chose to no longer include links to its own homepage on Telegram. Instead, it referred users to Wikipedia and Reddit, where the links were still available. The same copyright awareness was visible at Anna's Archive, a popular shadow library search engine. This channel was also careful not to post direct links to infringing material. After all, sharing or uploading copyrighted books would undoubtedly lead to trouble. Despite the reported caution, the channels of both Z-Library and Anna's Archive are no longer accessible today. Messages posted by these accounts were purged "due to copyright infringement", as shown below. Telegram didn't limit its action to removing posts; the channels are now entirely inaccessible. Those trying to access the channels in the Telegram app receive a pop-up message stating they are "unavailable due to copyright infringement." The simultaneous removal of both channels suggests they are linked to the same complaint or decision. The specific complaint and alleged copyright infringements remain unclear.

Read more of this story at Slashdot.