Curl Warns GitHub About 'Malicious Unicode' Security Issue
A Curl contributor replaced an ASCII letter with a Unicode alternative in a pull request, writes Curl lead developer/founder Daniel Stenberg. And not a single human reviewer on the team (or any of their CI jobs) noticed.
The change "looked identical to the ASCII version, so it was not possible to visually spot this..."
The impact of changing one or more letters in a URL can of course be devastating depending on conditions... [W]e have implemented checks to help us poor humans spot things like this. To detect malicious Unicode. We have added a CI job that scans all files and validates every UTF-8 sequence in the git repository.
In the curl git repository most files and most content are plain old ASCII so we can "easily" whitelist a small set of UTF-8 sequences and some specific files, the rest of the files are simply not allowed to use UTF-8 at all as they will then fail the CI job and turn up red. In order to drive this change home, we went through all the test files in the curl repository and made sure that all the UTF-8 occurrences were instead replaced by other kind of escape sequences and similar. Some of them were also used more or less by mistake and could easily be replaced by their ASCII counterparts.
The next time someone tries this stunt on us it could be someone with less good intentions, but now ideally our CI will tell us... We want and strive to be proactive and tighten everything before malicious people exploit some weakness somewhere but security remains this never-ending race where we can only do the best we can and while the other side is working in silence and might at some future point attack us in new creative ways we had not anticipated. That future unknown attack is a tricky thing.
In the original blog post Stenberg complained he got "barely no responses" from GitHub (joking "perhaps they are all just too busy implementing the next AI feature we don't want.") But hours later he posted an update.
"GitHub has told me they have raised this as a security issue internally and they are working on a fix."
Read more of this story at Slashdot.
Despite Success of New 'Assassin's Creed' Game, Ubisoft Stock Tumbles 18%
"Shares of Ubisoft sank 18% on Thursday," reports CNBC, "after the French video game firm reported full-year earnings that disappointed investors... The company's shares have lost almost 60% of their value in the past 12 months, as the firm faced financial struggles, development hurdles, and underperformance of some of its key titles."
Ubisoft said its latest Assassin's Creed game "delivered the second-highest Day 1 sales revenue in franchise history and set a new record for Ubisoft's Day 1 performance on the PlayStation digital store," according to Reuters. And AFP notes that according to data from consultancy Circana, that game become the second-best-selling game of the year so far in the U.S. But...
[A] string of disappointing releases undermined this year's performance, with a net loss of 159 million euros ($178 million) on revenues of 1.9 billion — down 17.5 percent year-on-year. Over the past 12 months, Ubisoft's would-be blockbuster "Star Wars Outlaws" fell short of sales expectations on release, while it cancelled multiplayer first-person shooter "XDefiant" for lack of players. "This year has been a challenging one for Ubisoft, with mixed dynamics across our portfolio, amid intense industry competition," chief executive Yves Guillemot said in a statement. But a string of disappointing releases undermined this year's performance, with a net loss of 159 million euros ($178 million) on revenues of 1.9 billion — down 17.5 percent year-on-year.
The group expects the measure to hold steady in the coming 2025-26 financial year, during which it will release a new "Prince of Persia" game, strategy title "Anno 117: Pax Romana" and mobile versions of shooters "Rainbow Six" and "The Division"... Moving to address its business woes, Ubisoft said in late March that it would create a new subsidiary to manage its three top franchises: "Assassin's Creed", "Far Cry" and "Rainbow Six".
"Since January, the shares have lost more than 12 percent, touching their lowest price in over a decade in April."
Read more of this story at Slashdot.
Paleontologists Identify Tiny Three-Eyed 'Sea Moth' Predator in Fossils
"With the help of more than five dozen fossils, paleontologists have uncovered a tiny three-eyed predator nicknamed the 'sea moth'," reports CNN, "that swam in Earth's oceans 506 million years ago."
Tiny as in 15 to 61 mm in total body length. (That's 0.60 to 2.4 inches...) But check out the illustration in CNN's article...
Mosura fentoni, as the species is known, belongs to a group called radiodonts, an early offshoot of the arthropod evolutionary tree, according to a new study published Tuesday in the journal Royal Society Open Science. While radiodonts are now extinct, studying their fossilized remains can illuminate how modern arthropods such as insects, spiders and crabs evolved. One of the most diverse animal groups, arthropods are believed to account for more than 80% of living animal species, said lead study author Dr. Joe Moysiuk, curator of paleontology and geology at the Manitoba Museum in Winnipeg.
Well-preserved specimens of the previously unknown Mosura fentoni also reveal something that's never been seen in any other radiodont: an abdomen-like body region with 16 segments that include gills at its rear. This part of the creature's anatomy is similar to a batch of segments bearing respiratory organs at the rear of the body found in distant modern radiodont relatives like horseshoe crabs, woodlice and insects, Moysiuk said.... No animal living today quite looks like Mosura fentoni, Moysiuk said, although it had jointed claws similar to those of modern insects and crustaceans. But unlike those critters, which can have two or four additional eyes used to help maintain orientation, Mosura had a larger and more conspicuous third eye in the middle of its head.
"Although not closely related, Mosura probably swam in a similar way to a ray, undulating its multiple sets of swimming flaps up and down, like flying underwater," Moysiuk said in an email. "It also had a mouth shaped like a pencil sharpener and lined with rows of serrated plates, unlike any living animal." About the size of an adult human's index finger, Mosura and its swimming flaps vaguely resemble a moth, which led researchers to call it the "sea moth."
The Royal Society publication notes the etymology of the species name (Mosura fentoni is "from the name of the fictional Japanese monster, or kaiju... also known as 'Mothra'...in reference to the moth-like appearance of the animal."
Thanks to long-time Slashdot reader walterbyrd for sharing the news.
Read more of this story at Slashdot.
Rust Creator Graydon Hoare Thanks Its Many Stakeholders - and Mozilla - on Rust's 10th Anniversary
Thursday was Rust's 10-year anniversary for its first stable release. "To say I'm surprised by its trajectory would be a vast understatement," writes Rust's original creator Graydon Hoare. "I can only thank, congratulate, and celebrate everyone involved... In my view, Rust is a story about a large community of stakeholders coming together to design, build, maintain, and expand shared technical infrastructure."
It's a story with many actors:
- The population of developers the language serves who express their needs and constraints through discussion, debate, testing, and bug reports arising from their experience writing libraries and applications.
- The language designers and implementers who work to satisfy those needs and constraints while wrestling with the unexpected consequences of each decision.
- The authors, educators, speakers, translators, illustrators, and others who work to expand the set of people able to use the infrastructure and work on the infrastructure.
- The institutions investing in the project who provide the long-term funding and support necessary to sustain all this work over decades.
All these actors have a common interest in infrastructure.
Rather than just "systems programming", Hoare sees Rust as a tool for building infrastructure itself, "the robust and reliable necessities that enable us to get our work done" — a wide range that includes everything from embedded and IoT systems to multi-core systems. So the story of "Rust's initial implementation, its sustained investment, and its remarkable resonance and uptake all happened because the world needs robust and reliable infrastructure, and the infrastructure we had was not up to the task."
Put simply: it failed too often, in spectacular and expensive ways. Crashes and downtime in the best cases, and security vulnerabilities in the worst. Efficient "infrastructure-building" languages existed but they were very hard to use, and nearly impossible to use safely, especially when writing concurrent code. This produced an infrastructure deficit many people felt, if not everyone could name, and it was growing worse by the year as we placed ever-greater demands on computers to work in ever more challenging environments...
We were stuck with the tools we had because building better tools like Rust was going to require an extraordinary investment of time, effort, and money. The bootstrap Rust compiler I initially wrote was just a few tens of thousands of lines of code; that was nearing the limits of what an unfunded solo hobby project can typically accomplish. Mozilla's decision to invest in Rust in 2009 immediately quadrupled the size of the team — it created a team in the first place — and then doubled it again, and again in subsequent years. Mozilla sustained this very unusual, very improbable investment in Rust from 2009-2020, as well as funding an entire browser engine written in Rust — Servo — from 2012 onwards, which served as a crucial testbed for Rust language features.
Rust and Servo had multiple contributors at Samsung, Hoare acknowledges, and Amazon, Facebook, Google, Microsoft, Huawei, and others "hired key developers and contributed hardware and management resources to its ongoing development." Rust itself "sits atop LLVM" (developed by researchers at UIUC and later funded by Apple, Qualcomm, Google, ARM, Huawei, and many other organizations), while Rust's safe memory model "derives directly from decades of research in academia, as well as academic-industrial projects like Cyclone, built by AT&T Bell Labs and Cornell."
And there were contributions from "interns, researchers, and professors at top academic research programming-language departments, including CMU, NEU, IU, MPI-SWS, and many others."
JetBrains and the Rust-Analyzer OpenCollective essentially paid for two additional interactive-incremental reimplementations of the Rust frontend to provide language services to IDEs — critical tools for productive, day-to-day programming. Hundreds of companies and other institutions contributed time and money to evaluate Rust for production, write Rust programs, test them, file bugs related to them, and pay their staff to fix or improve any shortcomings they found. Last but very much not least: Rust has had thousands and thousands of volunteers donating years of their labor to the project. While it might seem tempting to think this is all "free", it's being paid for! Just less visibly than if it were part of a corporate budget.
All this investment, despite the long time horizon, paid off. We're all better for it.
He looks ahead with hope for a future with new contributors, "steady and diversified streams of support," and continued reliability and compatability (including "investment in ever-greater reliability technology, including the many emerging formal methods projects built on Rust.")
And he closes by saying Rust's "sustained, controlled, and frankly astonishing throughput of work" has "set a new standard for what good tools, good processes, and reliable infrastructure software should be like.
"Everyone involved should be proud of what they've built."
Read more of this story at Slashdot.
The Top Fell Off Australia's First Orbital-Class Rocket, Delaying Its Launch
Australia's first orbital-class rocket launch was delayed after the nose cone of Gilmour Space's Eris rocket unexpectedly detached due to an electrical fault during final preparations. Although no damage occurred and no payload was onboard, the company is postponing the launch to investigate and replace the fairing before attempting another test flight. Ars Technica reports: Gilmour, the Australian startup that developed the Eris rocket, announced the setback in a post to the company's social media accounts Thursday. "During final launch preparations last night, an electrical fault triggered the system that opens the rocket's nose cone (the payload fairing)," Gilmour posted on LinkedIn. "This happened before any fuel was loaded into the vehicle. Most importantly, no one was injured, and early checks show no damage to the rocket or the launch pad."
Gilmour was gearing up for a launch attempt from a privately owned spaceport in the Australian state of Queensland early Friday, local time (Thursday in the United States). The company's Eris rocket, which was poised for its first test flight, stands about 82 feet (25 meters) tall with its payload fairing intact. It's designed to haul a payload of about 670 pounds (305 kilograms) to low-Earth orbit.
While Gilmour didn't release any photos of the accident, a company spokesperson confirmed to Ars that the payload fairing "deployed" after the unexpected electrical issue triggered the separation system. Payload fairings are like clamshells that enclose the satellites mounted to the top of their launch vehicle, protecting them from weather on the launch pad and from airflow as the rocket accelerates to supersonic speeds. Once in space, the rocket releases the payload shroud, usually in two halves. There were no satellites aboard the rocket as Gilmour prepared for its first test flight. The report notes that the Eris rocket is aiming to "become the first all-Australian launcher to reach orbit."
Read more of this story at Slashdot.
How the Indian Media Amplified Falsehoods in the Drumbeat of War
During the conflict between India and Pakistan, even some long-trusted outlets reported unverified information and fabricated stories.
At Mexico’s 2 Legal Gun Shops, a Conflicted View of Firearms Is on Display
While Mexicans have a right to own guns, they can only be legally bought at two military-run and tightly regulated stores, an effort to better control possession in a country awash with black market weapons.
A Haven for High School Girls’ Wrestling, Filled With Grit and Pride
The Lucha Wrestling Club in the Bronx provides a safe place for an aggressive sport. The Bronx has more public high school girls’ teams than any other New York City borough.
NASA Resurrects Voyager 1 Interstellar Spacecraft's Thrusters After 20 Years
NASA engineers have successfully revived Voyager 1's backup thrusters, unused since 2004 and once considered defunct. Space.com reports: This remarkable feat became necessary because the spacecraft's primary thrusters, which control its orientation, have been degrading due to residue buildup. If its thrusters fail completely, Voyager 1 could lose its ability to point its antenna toward Earth, therefore cutting off communication with Earth after nearly 50 years of operation. To make matters more urgent, the team faced a strict deadline while trying to remedy the thruster situation. After May 4, the Earth-based antenna that sends commands to Voyager 1 -- and its twin, Voyager 2 -- was scheduled to go offline for months of upgrades. This would have made timely intervention impossible.
To solve the problem, NASA's team had to reactivate Voyager 1's long-dormant backup roll thrusters and then attempt to restart the heaters that keep them operational. If the star tracker drifted too far from its guide star during this process, the roll thrusters would automatically fire as a safety measure -- but if the heaters weren't back online by then, firing the thrusters could cause a dangerous pressure spike. So, the team had to precisely realign the star tracker before the thrusters engaged. Because Voyager is so incredibly distant, the team faced an agonizing 23-hour wait for the radio signal to travel all the way back to Earth. If the test had failed, Voyager might have already been in serious trouble. Then, on March 20, their patience was finally rewarded when Voyager responded perfectly to their commands. Within 20 minutes of receiving the signal, the team saw the thruster heaters' temperature soar -- a clear sign that the backup thrusters were firing as planned. "It was such a glorious moment. Team morale was very high that day," Todd Barber, the mission's propulsion lead at JPL, said in the statement. "These thrusters were considered dead. And that was a legitimate conclusion. It's just that one of our engineers had this insight that maybe there was this other possible cause, and it was fixable. It was yet another miracle save for Voyager."
Read more of this story at Slashdot.
Tornado Strikes St. Louis, Killing at Least Five
Widespread damage was reported, including toppled trees and power lines. The tornado was part of a larger weather system that threatened numerous states.
Supreme Court Deals Blow to Trump Deportation Plan Using Wartime Law
The Trump administration will not be allowed to deport Venezuelans under the law while the matter is being litigated in a federal court, the justices ruled.
Inside Trump’s Trip to the Middle East: Adulation and Not a Whiff of Protests
At every step of President Trump’s whirlwind tour, he has been treated with the kind of honor and respect he has long desired.
Under Fire From Trump’s Tariffs, Ammo Makers in a Balkan Valley Hunker Down
Companies that make ammunition in the Bosnian city of Gorazde fear they may not survive the tariffs imposed on the goods that they send to their biggest market — the United States.
U.A.E. Is Pouring Money Into Africa, Seeking Resources and Power
As the United States and other economic powers reduce their investment, aid and presence in Africa, the United Arab Emirates is wielding its wealth.
FDA Clears First Blood Test To Help Diagnose Alzheimer's Disease
An anonymous reader quotes a report from the Associated Press: U.S. health officials on Friday endorsed the first blood test that can help diagnose Alzheimer's and identify patients who may benefit from drugs that can modestly slow the memory-destroying disease. The test can aid doctors in determining whether a patient's memory problems are due to Alzheimer's or a number of other medical conditions that can cause cognitive difficulties. The Food and Drug Administration cleared it for patients 55 and older who are showing early signs of the disease.
The new test, from Fujirebio Diagnostics, Inc., identifies a sticky brain plaque, known as beta-amyloid, that is a key marker for Alzheimer's. Previously, the only FDA-approved methods for detecting amyloid were invasive tests of spinal fluid or expensive PET scans. The lower costs and convenience of a blood test could also help expand use of two new drugs, Leqembi and Kisunla, which have been shown to slightly slow the progression of Alzheimer's by clearing amyloid from the brain. Doctors are required to test patients for the plaque before prescribing the drugs, which require regular IV infusions. [...]
A number of specialty hospitals and laboratories have already developed their own in-house tests for amyloid in recent years. But those tests aren't reviewed by the FDA and generally aren't covered by insurance. Doctors have also had little data to judge which tests are reliable and accurate, leading to an unregulated marketplace that some have called a "wild west." Several larger diagnostic and drug companies are also developing their own tests for FDA approval, including Roche, Eli Lilly and C2N Diagnostics. The tests can only be ordered by a doctor and aren't intended for people who don't yet have any symptoms.
Read more of this story at Slashdot.
Audio Clip of Biden Special Counsel Interview Is Released, Showing Verbal Stumbles
Republicans have long sought to make public a recording of the 2023 interview, arguing that it might offer evidence of a decline in Joseph R. Biden Jr.’s mental acuity.
After Cuts, a Kentucky Weather Office Scrambles for Staffing as Severe Storms Bear Down
The office in Jackson, Ky., is one of several left without an overnight forecaster after hundreds of jobs were recently cut from the National Weather Service.
Couple Imprisoned Girl for 7 Years and Kept Her in Dog Cage, Police Say
Investigators, who did not identify the teenager, now 18, said they believed she had been sexually abused by her stepfather.
Secret Service Questions Comey Over ‘86 47’ Social Media Post About Trump
Administration officials had said the post — a picture of seashells forming the numbers “86 47” — amounted to an assassination threat by the former F.B.I. director.
Microsoft's Command Palette is a Powerful Launcher For Apps, Search
Microsoft has released Command Palette, an enhanced version of its PowerToys Run launcher introduced five years ago. The utility, aimed at power users and developers, provides quick access to applications, files, calculations, and system commands through a Spotlight-like interface.
Command Palette integrates the previously separate Window Walker functionality for switching between open windows and supports launching command prompts, executing web searches, and navigating folder structures. Unlike its predecessor, the new launcher offers full customization via extensions, allowing users to implement additional commands beyond default capabilities. Available through the PowerToys application since early April, Command Palette can be triggered using Win+Alt+Space after installation
Read more of this story at Slashdot.