TeCHnology

No planes took off from Kloten Airport, in Zurich, for around two hours on Monday afternoon. The reason was a technical malfunction. Landings were always possible.

The problem lay with air traffic control Skyguide, as a media spokeswoman told the Keystone-SDA news agency. She confirmed a report from “Blick” that it was a technical problem.

As Zurich Airport announced in the evening, the disruption had an impact on flight schedules and meteorological data. No more planes took off between 2:30 pm and 4:30 pm. Landings were still possible.

Swiss passengers were contacted, the airline announced in the evening. It goes on to say that there were numerous delays.

The problem has now been resolved, said Skyguide's media spokeswoman. The flights were delayed by 20 to 100 minutes. According to Zurich Airport, 60 flights were affected. But no flight had to be cancelled.

Oct 30 (Reuters) - Meta Platforms (META.O) said on Monday it will offer users in Europe a subscription plan to use Facebook and Instagram without advertisements to comply with the European Union regulations.

The monthly subscription plans for users in the EU, European Economic Area and Switzerland, will cost 9.99 euros ($10.58) for web users, while iOS and Android users will have to shell out 12.99 euros a month.

Last week, privacy advocate (and very occasional Reg columnist) Alexander Hanff filed a complaint with the Irish Data Protection Commission (DPC) decrying YouTube's deployment of JavaScript code to detect the use of ad blocking extensions by website visitors.

You might have heard about quantum computers, a futuristic kind of computer that can perform certain operations far faster than today’s machines. You might have also heard that quantum computers will soon break encryption and expose everyone’s data.

In reality, quantum computers are already here, but they’re still pretty basic. Quantum computing technology is years or decades away from breaking current encryption standards, and its future applications are hypothetical. For now, your data is safe.

Even so, we take the potential threat seriously. Proton is not uniquely affected by this challenge, but we are uniquely equipped to confront it. We have a decade of experience developing and maintaining innovative open source cryptography(new window). Our encrypted services protect the data of over 100 million accounts, with Proton Mail as the largest end-to-end encrypted email provider in the world. Many other services are built on the cryptographic libraries that we write and maintain. Because the security of our users and their data is our top priority, we’re always on the alert for new threats. Quantum computers are one of them. ...

Swiss train manufacturer Stadler Rail has won an order from the American state of California for the delivery of four hydrogen trains.

The contract, the value of which was not specified, also provides for the acquisition of 25 additional trainsets.

The order has been placed by the California State Transportation Agency (CalSTA) and the California Department of Transportation (Caltrans), the Thurgau-based company said on Friday.

Stadler's hydrogen train was designed in partnership with the San Bernardino County Transportation Authority in California. Unveiled in 2022, it has undergone extensive testing in Switzerland and the United States, according to the press release. CalSTA and Caltrans opted for this model on the basis of these tests.

Stadler Rail won its first contract for a hydrogen train in 2019 in the US. It is expected to enter service in 2024 as part of the San Bernardino County Transit Authority (SBCTA) in California and will be the first hydrogen train in American passenger transport.

Swiss train manufacturer Stadler Rail has won an order from the American state of California for the delivery of four hydrogen trains.

The contract, the value of which was not specified, also provides for the acquisition of 25 additional trainsets.

The order has been placed by the California State Transportation Agency (CalSTA) and the California Department of Transportation (Caltrans), the Thurgau-based company said on Friday.

Stadler's hydrogen train was designed in partnership with the San Bernardino County Transportation Authority in California. Unveiled in 2022, it has undergone extensive testing in Switzerland and the United States, according to the press release. CalSTA and Caltrans opted for this model on the basis of these tests.

Stadler Rail won its first contract for a hydrogen train in 2019 in the US. It is expected to enter service in 2024 as part of the San Bernardino County Transit Authority (SBCTA) in California and will be the first hydrogen train in American passenger transport.

Back in June 2002, Ubuntu founder Mark Shuttleworth was experiencing space for the first time, the Department of Justice's antitrust case against Microsoft was reaching its final arguments, and Adam Price, using what was then called Mozilla on a Mac, had an issue with persistent tooltips.

"If I mouseover a toolbar link, and wait for a second, a little yellow box with the description of the link appears. If I now use command-tab to move Mozilla to the background, the little yellow box stays there, in the foreground. The only way to get rid of it is to put mozilla in the foreground again, and move the mouse off the toolbar," Price wrote on June 2. There were a few other bugs related to this issue, but Price set down a reproducible issue, confirmed by many others in the weeks to come—and months to come, years to come, and more than two decades to come.

Over the years, people would check in on the thread or mark other bugs as duplicates of this one issue. It would occasionally seem fixed, only for coders and commenters to discover that it was just a little different in different versions or that prior fixes were seemingly accidental. Sometimes it seemed to appear in Windows or Linux, too. One commenter, denis, noted that at the 21-year mark: "I'm kinda partial to let it be forever. It feels like a relic from the past."

That relic is no more, as a fix to Bug 148624 was pushed in early September, with the fix appearing in build 119. I tried to replicate the tooltip on my not-yet-updated 118.0.1 Firefox browser on Mac but could not experience this rite of passage for myself. The patch itself is quite small, adding a check for whether a document has focus to the tooltip-showing code.

Yifan Zhu, who wrote the patch to Firefox's Tooltip Listener, wrote to Ars that they first encountered the bug in Thunderbird on Linux, as "seemingly random segments of text floating on my screen." Switching frequently between virtual desktops left subject lines floating on their screen, which was "extremely annoying." Zhu learned to switch back to either Firefox or Thunderbird and move their cursor before switching back.

But it grew on them, so they researched and sought to submit the bug, but "To my horror, I realized this bug report has been open for more than 20 years, and still hasn't been fixed." Because it was "a minor 'cosmetic' issue not causing crashes," there was a good chance nobody would fix it—"Unless I do it myself," Zhu wrote.

Zhu was motivated and knew how to program but had "zero experience in projects as complicated as the Firefox browser" and had "never contributed to open source projects before." But it was the summer before their PhD program started. "So, why not?"

Their start was inauspicious, to say the least. "I just searched for 'tooltip' in the entire code base, examined stuff for possible candidates, and inserted debugging print statements to follow the execution," Zhu wrote. This eventually bore answers. "When the mouse hovers over some element, a timer is started to display the tooltip. The timer would be canceled on a mouse-out event, which Firefox wasn't getting when I used keyboard shortcuts to switch windows or virtual desktops."

Zhu pushed a commit that made tooltip display based on Firefox losing focus, rather than the mouse leaving the application. In the next few hours, they heard from Emilio Cobos Álvarez, who refined Zhu's approach and helped get the commit into the code base. While the fix has created some regression, that bug is seeing work, too.

Zhu, born in 1999, just three years before this bug was submitted, had just finished their undergrad and Masters work at Stanford when they went work on it. They are just starting their PhD in electrical engineering. They can only guess why a bug like this has lasted for most of their life. Their guess it that it's both a cosmetic inconvenience and tricky to reproduce, leaving other, more serious bugs with perennially higher ranking.

Cobos Álvarez, who shepherded Zhu's fix into a commit, wrote to us that "this area is rather tricky," given various Firefox configurations and how they respond to different operating systems. Finding a solution that elegantly dealt with a lack of input on when a Mozilla app wasn't in focus, without guarantee of OS input, was tricky. "Pretty impressive for his first Firefox contribution!"

On social media, especially the Mastodon instances where you might expect to find people with opinions on Mozilla's XML User Interface Language, there was much rejoicing. Some noted their amazement that Bugzilla itself, the bug reporting tool, had lasted even longer than the bug (25 years as of August). Some suggested that this fix countered the prevalence of "stalebots," which single out old, unresolved issues for deletion. And one drafted a full hero's journey.

Not anyone can make a great commit, but a great commit can come from anywhere.

Out with the old: Microsoft's decision to phase out VBScript marks the end of an era.

If you thought Microsoft's announcement about no longer updating WordPad was a curveball, brace yourself for another: VBScript is on its way out. Yes, you read that right. Microsoft has officially stated that VBScript is being deprecated.

Launched in 1996, VBScript—short for Visual Basic Scripting Edition—was Microsoft's attempt at a scripting language for web development. For a while, it was everywhere. Integrated into Internet Explorer, it was a key part of Microsoft's early web strategy. But unlike JavaScript, which saw expansive growth and community adoption, VBScript couldn't keep up the pace.

There are a couple of solid reasons Microsoft has decided to sunset VBScript.

First, the language is outdated. It hasn't seen significant updates in years, and its capabilities are far surpassed by modern languages like Python and JavaScript. Second, and perhaps more urgent, VBScript has security vulnerabilities that make it a point of concern. While Microsoft has released patches over the years, keeping an outdated language secure is a bit like patching a sinking ship—it's not a long-term solution.

One might think VBScript is just an old relic, but that's not entirely true. There are businesses with legacy systems that still rely on VBScript. Enterprise applications, in particular, are known to be late adopters of new technologies.

...

More information by Microsoft: https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features

Cryptographic protocol helps secure the open source software ecosystem with zero-trust passwordless authentication.

The Linux Foundation, BastionZero and Docker are excited to announce the launch of OpenPubkey as a Linux Foundation open source project. To coincide with the launch of OpenPubkey, BastionZero is announcing the integration of OpenPubkey for Docker container signing, to help secure the open source software ecosystem with zero-trust passwordless authentication.

The OpenPubkey protocol was developed as part of BastionZero’s secure infrastructure access product. OpenPubkey enables users to securely and accurately bind cryptographic keys to users and workloads by turning an OpenID Connect Identity Provider (IdP) into a Certificate Authority (CA). With the rollout of this integration, Docker users can enhance software supply chain security.

This new cryptographic protocol empowers developers to build out software supply chain or security applications. OpenPubkey augments OpenID Connect to enable workloads and users to sign artifacts under their OpenID identity. These keys can be used to cryptographically sign statements, enabling applications such as secure remote access or software supply chain security features such as signed builds, deployments, and code commits.

"The Linux Foundation is proud to host the OpenPubkey Project," said Jim Zemlin, Executive Director of the Linux Foundation. "We believe this initiative will play a pivotal role in strengthening the security of the open source software community. We encourage developers and organizations to join this collaborative effort in enhancing software supply chain security."

"We introduced OpenPubkey as its own standalone protocol to make it easy and secure to use digital signatures with OpenID Connect,” said Ethan Heilman, co-founder and CTO of BastionZero. “We are excited to partner with Docker to offer its community of software developers and open source contributors a simple and convenient way for users, service accounts, machines, or workloads to create digital signatures using their identity."

"TestifySec recognizes the value in enhancing software supply chain security," said Cole Kennedy, CEO of TestifySec. "We're impressed with OpenPubkey's approach to easy and trustworthy signing. Docker's collaboration with Bastion Zero has our full support, and we're eager to see the broader community benefit from it."

BastionZero and Docker are excited to bring this technology to the broader open source community under the Linux Foundation and aim to expand the reach of OpenPubkey, foster increased collaboration, and improve software security across the open source ecosystem. To learn more about how the integration of OpenPubkey is enhancing open source software supply chain security, including how to get involved, contribute, and join the community, please visit the GitHub page.

Sony Interactive Entertainment (SIE) has warned around 6,800 current and former employees that their personal data was accessed via a data breach, according to a letter seen by Bleeping Computer. The nature of the personal information stolen by hackers was redacted, but the company stated that a file transfer app called MOVEit was the source of the breach. It's the second report of an attack on Sony's operations within the last two weeks.

A ransomware group called CL0P claimed credit for the attack on May 28th, and MOVEit's vendor Progress Software notified Sony about the vulnerability on May 31st "On June 2, 2023, [we] discovered the unauthorized downloads, immediately took the platform offline, and remediated the vulnerability," Sony states in the letter to employees. "An investigation was then launched with assistance from external cybersecurity experts. We also notified law enforcement."

The hackers reportedly gained access to personally identifiable information about US employees, so Sony is providing credit monitoring services to those affected.

Sony was victim of another breach first reported last week. In that case, the hackers accessed servers in Japan used for internal testing for its Entertainment, Technology and Services business, pilfering 3.14GB of data. A threat actor called Ransomed.vc took credit for the attack, but that was denied by another group calling itself MajorNelson, which posted a sampling of files as proof. Sony said it was investigating the attack, adding "there has been no adverse impact on Sony's operations."

The company's PlayStation network was attacked in 2011, and Sony Pictures was famously hacked in 2014, resulting in a massive leak of documents and content — including entire films.

EXECUTIVE SUMMARY

The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations.

Through NSA and CISA Red and Blue team assessments, as well as through the activities of NSA and CISA Hunt and Incident Response teams, the agencies identified the following 10 most common network misconfigurations:

• Default configurations of software and applications
• Improper separation of user/administrator privilege
• Insufficient internal network monitoring
• Lack of network segmentation
• Poor patch management
• Bypass of system access controls
• Weak or misconfigured multifactor authentication (MFA) methods
• Insufficient access control lists (ACLs) on network shares and services
• Poor credential hygiene
• Unrestricted code execution

These misconfigurations illustrate (1) a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and (2) the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders:

• Properly trained, staffed, and funded network security teams can implement the known mitigations for these weaknesses.
• Software manufacturers must reduce the prevalence of these misconfigurations—thus strengthening the security posture for customers—by incorporating secure-by-design and -default principles and tactics into their software development practices.

NSA and CISA encourage network defenders to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of malicious actors exploiting the identified misconfigurations.

• Remove default credentials and harden configurations.
• Disable unused services and implement access controls.
• Update regularly and automate patching, prioritizing patching of known exploited vulnerabilities.
• Reduce, restrict, audit, and monitor administrative accounts and privileges.

NSA and CISA urge software manufacturers to take ownership of improving security outcomes of their customers by embracing secure-by-design and-default tactics, including:

• Embedding security controls into product architecture from the start of development and throughout the entire software development lifecycle (SDLC).
• Eliminating default passwords.
• Providing high-quality audit logs to customers at no extra charge.
• Mandating MFA, ideally phishing-resistant, for privileged users and making MFA a default rather than opt-in feature.

Preparations for a massive new particle smasher near Geneva are picking up speed. But the European-led project, which hopes to answer some of the biggest questions in physics, faces many obstacles, including competition from China.

In 2012 scientists at the European Organization for Nuclear Research (CERN) achieved a key breakthrough when they detected the elusive Higgs boson, an elementary particle that gives mass to all the others. This followed decades of work using accelerators such as the famed Large Hadron Collider (LHC), the world’s most powerful particle collider located north of Geneva.

Yet many fundamental questions about the universe remain unanswered: What constitutes dark matter? Why is our universe filled with matter and not antimatter? Or why do the masses of elementary particles differ so much?

The search for answers to these and other big physics questions requires another “leap to higher energies and intensities”, says CERN. The organisation wants to build a more powerful and precise successor to the LHC, which was conceived in the early 1980s and will complete its mission in 2040.

“We build these machines to explore the nature of the universe. It’s about going out into the unknown and exploring further,” says Mike Lamont, CERN’s director of accelerators and technology.

And so, following requests by the global physics community, plans for the so-called Future Circular Collider (FCC) have been taking shape over the past ten years.

The Nobel Assembly at Karolinska Institutet has today decided to award the 2023 Nobel Prize in Physiology or Medicine jointly to Katalin Karikó and Drew Weissman

for their discoveries concerning nucleoside base modifications that enabled the development of effective mRNA vaccines against COVID-19

The discoveries by the two Nobel Laureates were critical for developing effective mRNA vaccines against COVID-19 during the pandemic that began in early 2020. Through their groundbreaking findings, which have fundamentally changed our understanding of how mRNA interacts with our immune system, the laureates contributed to the unprecedented rate of vaccine development during one of the greatest threats to human health in modern times.

Vaccines before the pandemic

Vaccination stimulates the formation of an immune response to a particular pathogen. This gives the body a head start in the fight against disease in the event of a later exposure. Vaccines based on killed or weakened viruses have long been available, exemplified by the vaccines against polio, measles, and yellow fever. In 1951, Max Theiler was awarded the Nobel Prize in Physiology or Medicine for developing the yellow fever vaccine.

Thanks to the progress in molecular biology in recent decades, vaccines based on individual viral components, rather than whole viruses, have been developed. Parts of the viral genetic code, usually encoding proteins found on the virus surface, are used to make proteins that stimulate the formation of virus-blocking antibodies. Examples are the vaccines against the hepatitis B virus and human papillomavirus. Alternatively, parts of the viral genetic code can be moved to a harmless carrier virus, a “vector.” This method is used in vaccines against the Ebola virus. When vector vaccines are injected, the selected viral protein is produced in our cells, stimulating an immune response against the targeted virus.

Producing whole virus-, protein- and vector-based vaccines requires large-scale cell culture. This resource-intensive process limits the possibilities for rapid vaccine production in response to outbreaks and pandemics. Therefore, researchers have long attempted to develop vaccine technologies independent of cell culture, but this proved challenging.

Inspired by the suction cups on octopus tentacles, Zurich researchers have developed a patch for delivering medicines. The patch is stuck to the inside of the cheek and enables the delivery of medicines that would otherwise require a syringe.

In initial trials on humans, the patch proved to be safe and tolerable, as the researchers from the federal technology institute ETH Zurich (ETH Zurich) wrote in the study published on Wednesday in the journal Science Translational Medicine.

To test their patch, the researchers loaded it with desmopressin, an approved diabetes drug for dogs, and stuck it on the oral mucosa, the lining or “skin” inside of the mouth, including cheeks and lips, of dogs. The patch stayed in the animals' mouths for three hours without falling off or causing irritation, the study showed. The effect of the drug was comparable to the effect when given in tablet form.

The researchers then had 40 volunteers stick the patch to the inside of their cheeks for half an hour without medication while they talked, walked and rinsed their mouths. Most of the patches stuck. In addition, the subjects reported that they would prefer the patch over injections for daily, weekly or monthly treatment.

Further studies needed

According to the study, the patch could be suitable for insulin. Until now, diabetics have had to inject themselves with insulin several times a day. Other peptides and proteins can also only be administered by injection. Previous attempts to administer them via nasal sprays or microneedles showed only limited effectiveness, according to the study.

Before the suction cup is used, however, further studies are needed to determine the safety of repeated treatment with it, according to the researchers.

From 0 to 100km/h in 0.956 seconds: an electric racing car built by students from the federal technology institute ETH Zurich and the Lucerne University of Applied Sciences has broken the world acceleration record.

The vehicle named “Mythen” achieved the milestone in a distance of 12.3 metres, ETHZ announced on Tuesday.

The previous world record of 1.461 seconds, set by a team from the University of Stuttgart, was bettered by more than a third, according to ETHZ. The record was set at the Dubendorf military airfield in canton Zurich.

The vehicle weighs just 140 kilograms and has an output of 326hp. To prevent the car from taking off when it gets off to a speedy start, the students developed a type of vacuum cleaner that sucks the vehicle to the ground.

The car was designed and built by around 30 students from the Academic Motorsport Association Zurich (AMZ). Following attempts in 2014 and 2016, this is the third time that the AMZ has set the acceleration world record.

Edit 1, added links:

Link to the article from ETH Zürich

Link to the video (piped.video)

Official press release (via admin.ch)

A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website's source code.

An examination of the text input fields in web browsers revealed that the coarse-grained permission model underpinning Chrome extensions violates the principles of least privilege and complete mediation.

Additionally, the researchers found that numerous websites with millions of visitors, including some Google and Cloudflare portals, store passwords in plaintext within the HTML source code of their web pages, allowing extensions to retrieve them.

Source of the problem

The researchers explain that the problem concerns the systemic practice of giving browser extensions unrestricted access to the DOM tree of sites they load on, which allows accessing potentially sensitive elements such as user input fields.

Given the lack of any security boundary between the extension and a site's elements, the former has unrestricted access to data visible in the source code and may extract any of its contents.

Additionally, the extension may abuse the DOM API to directly extract the value of inputs as the user enters them, bypassing any obfuscation applied by the site to protect sensitive inputs, and stealing the value programmatically.

The Manifest V3 protocol that Google Chrome introduced, and adopted by most browsers this year, limits API abuse, prohibits extensions from fetching code hosted remotely that could help evade detection, and prevents the use of eval statements that lead to arbitrary code execution.

However, as the researchers explain, Manifest V3 does not introduce a security boundary between extensions and web pages, so the problem with content scripts remains.