Nick @internic@qoto.org

#PPOD: Taken on an island in the Maldives, this stunning photograph shows the beautiful Milky Way over a night-time shoreline highlighted by vibrant bioluminescence in the water. Also visible is the star cluster Omega Centauri, toward the left, and the famous Southern Cross asterism in the center. Red-glowing nebulas include the bright Carina Nebula, just right of center, and the expansive Gum Nebula on the upper right. Credit: Petr Horálek / Institute of Physics in Opava

#space #photography

I was on the Slate What Next podcast over the weekend talking about the implications of #Durov's arrest. Transcript and audio here. https://slate.com/transcripts/a2cvbDZlQkVUVm9SZDV5cmdSWEN0a3F0OTN1R0lvblMwTk4yeTZkOEU1bz0= #Telegram

Cisco's site for selling company-themed merchandise is currently offline and under maintenance due to hackers compromising it with JavaScript code that steals sensitive customer details provided at checkout.

https://www.bleepingcomputer.com/news/security/hackers-inject-malicious-js-in-cisco-store-to-steal-credit-cards-credentials/

In its expanding arrogance (which is really saying something), Microsoft has decided that an apparent user option (in an upcoming Windows 11 version) to turn off pervasive spying on everything you do is a bug.

You read that right. The bug is the pretense of saying that you ever had the option to choose privacy and security.

https://www.theverge.com/2024/9/2/24233992/microsoft-recall-windows-11-uninstall-feature-bug

I’ll reiterate what many others have said about the yubikey story - unless you’re the target of super sophisticated actors who do not what you to know they’ve stolen your yubikey*, this is a bit of a non-event and highlights the importance of keeping track of your yubikeys. Please don’t toss them, but do keep an eye out for further developments. Once an issue like this is identified, it attracts a lot of attention from many smart people and there may will be other findings in the future, but for now, yubikeys are good enough for most of us.

* I know there are a bunch of people convinced you’re being pursued by these advanced adversaries. I worry about you. For many reasons.

News!

I have started a new role as Software Engineer at arXiv, the world's largest preprint server.

You can now find me at their Cornell Tech space, focused on creating better HTML papers.

I am honored and look forward to what we can build for the scientific community.

I listened to the first episode of the “Change, Technically” podcast from @grimalkina and @analog_ashley, and it was really hard not to spend the whole episode yelling out loud — either in vehement agreement, or to say “That but even more so! You’re not going far enough!!”

Good stuff for anybody interested in humans beings who write software: https://www.changetechnically.fyi

Stanford engineers have devised a new technique, called redox-couple electrodialysis, to extract lithium from brines at an estimated 40% of the cost of today’s dominant extraction method (evaporation), and at just a fourth of lithium’s current market price. The new technology would also be much more reliable and sustainable in its use of water, chemicals, and land. https://buff.ly/3AGOjt0 #ShareGoodNewsToo

Ok, here's the deal on the "YubiKey cloning attack" stuff:

yes, a way to recover private keys from #YubiKey 5 has been found by researchers.

But the attack *requires*:

👉 *physically opening the YubiKey enclosure*

👉 *physical access* to the YubiKey *while it is authenticating*

👉 non-trivial electronics lab equipment

I cannot stress this enough:

❗In basically every possible scenario you are safer using a YubiKey or a similar device, than not using one.

#InfoSec #YubiKey5

@dangoodin “All YubiKeys running firmware prior to version 5.7—which was released in May and replaces the Infineon cryptolibrary with a custom one—are vulnerable.”

Check which firmware you have installed.

Oh no, said literally nobody ever, about a huge fine that facial recognition startup Clearview AI absolutely deserves and then some.

https://techcrunch.com/2024/09/03/clearview-ai-hit-with-its-largest-gdpr-fine-yet-as-dutch-regulator-considers-holding-execs-personally-liable/

No matter what citation graph I explore, IEEE is without fail the most broken part of the graph. Ridiculous per-paper pricing, non-institution membership options so byzantine I gave up (vs. ACM, which wanted to take my money), and of course an iron fist of exclusivity and closed access for the IP they rip out of authors' hands.

If you publish in an IEEE journal, you might as well be chucking your research in the shredder as far as the world outside academia's concerned :(

The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-size device vulnerable to cloning when an attacker gains brief physical access to it, researchers said Tuesday.

The cryptographic flaw, known as a side channel, resides in a small microcontroller that’s used in a vast number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas. While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, which is SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability.

https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

Microsoft has confirmed that Windows 11 users will not be able to uninstall the controversial “Recall” feature, despite earlier reports suggesting otherwise. Recall, part of the Copilot+ suite announced in May, automatically captures screenshots of user activity on the operating system including sensitive information such as passwords or financial data https://digitalmarketreports.com/news/25091/microsoft-recall-feature-on-windows-11-not-removable-after-all/ Do yourself a favor and get rid of Windows from your life—enough of these greedy companies. #privacy #security

1: Programmer sets up a website that is just 1 million checkboxes, checking or unchecking them does so for everyone.

2: Hackers (the good, fun, quirky kind) find a way to encode text in it.

3:...and a whole lot more....

https://eieio.games/essays/the-secret-in-one-million-checkboxes/

(cc @dylanbeattie on the very faint chance he's not seen it already)

USC/ISI hosts a summer program for students from under-represented groups. Nice.
https://www.isi.edu/news/70950/stimulating-stem-cultivates-diverse-futures/

would love ideas for solutions to these issues with folders in the terminal if folks have them! (just reply in this thread)

https://docs.google.com/spreadsheets/d/1hcTV-xFFKvMdEjUpSiKcVd0g6pnfa1b3GEwimoM7qlo/edit?usp=sharing

(please don't try to explain to me *why* the problem happens, I'm only interested in solutions!)

If someone sends me a toot link say https://mastodon.social/@AlSweigart/113068130707089157 via slack is there a way on my iPhone to open the toot in Mona so I can retweet it? I’ve tried search in Mona, I’ve tried sharing it to Mona, and neither works

I wrote up a little article about a problem that shows up in homomorphic encryption called "cheapest shift network" https://www.jeremykun.com/2024/09/02/shift-networks/