SoylentNews

ted-ious writes:

65% of U.S. doctors reportedly use OpenEvidence, which is supported in part by pharmaceutical ads:

How would you like it if, when stumped or just in need of some help with an unfamiliar situation, your doctor consulted a free, ad-supported AI chatbot? That's not actually a hypothetical. They probably are doing that, a new report from NBC News says.

It's called OpenEvidence, and NBC says it was "used by about 65% of U.S. doctors across almost 27 million clinical encounters in April alone." An earlier Bloomberg report on OpenEvidence from seven months ago said it had signed up 50% of American doctors at the time—so reported growth is rapid.

The OpenEvidence homepage trumpets the bot as "America's Official Medical Knowledge Platform," and says healthcare professionals qualify for unlimited free use, but non-doctors can try it for free without creating accounts. It gives long, detailed answers with extensive citations that superficially look—to me, a non-doctor—trustworthy and credible.

NBC interviewed doctors for its story, and apparently pressed them on how often they actually click those links to the sources of information, and "most said they only do so when they get an unexpected result," NBC's report says.

While it's free, OpenEvidence is not a charity. It's a Miami-headquartered tech unicorn with a billionaire founder named David Nadler, and as of January it boasted a $12 billion valuation. NBC says it's backed by some of the all stars of Sand Hill Road: Sequoia Capital and Andreessen Horowitz, along with Google Ventures, Thrive Capital, and Nvidia.

And its revenue comes from ads (for now), which NBC says are often for "pharmaceutical and medical device companies."

[...] At a recent doctor's appointment, my doctor asked my permission to use an AI tool on their phone (I don't know if it was OpenEvidence). I didn't know what to say other than yes. Do I want that for my doctor's appointment? Not especially. But if my doctor has come to rely on a tool like this, then what am I supposed to do? Take away their crutch?

Original Submission

Arthur T Knackerbracket writes:

Citizens complain high- and low-frequency sounds do not register on decibel meters but cause adverse health effects:

Data center projects have faced resistance from residents and communities over their impact on power prices, but another complaint is being raised more frequently — noise pollution. One form of sound pollution is called infrasound, which is inaudible to humans but can be felt, and some claim it causes headaches, insomnia, nausea, and anxiety. Then there's the normal garden-variety sound pollution. The Environmental and Energy Study Institute (EESI), a non-profit organization, said that high- and low-frequency sounds emitted by these industrial sites can be heard and felt for hundreds of feet in surrounding areas, with noise levels reaching as high as 96dB for 24 hours a day and seven days a week.

Infrasound is another complaint that researchers are studying. Heatmap Plus reports that this is the phenomenon of frequencies so low they’re inaudible to humans. Nevertheless, some people can feel it, and there have been claims linking them to various negative health effects such as headaches, insomnia, nausea, and anxiety. Infrasound and its effects need further study, but it’s one of the issues local governments have been raising as they place a moratorium on data center projects. [...]

Normal noise pollution remains an issue, and communities living near off-grid data centers that generate their own power have it the worst. These sites generate their own power, typically using natural-gas-powered turbines — essentially jet engines bolted to the floor and used to turn generators that produce electricity. Aside from pollution concerns, such as those raised by residents around Elon Musk’s Colossus Supercomputer, which used over 30 mobile gas turbines for power, these turbines can be as loud as a passenger jet, making the site sound as loud as an airport. What’s worse is that, unlike backup generators, which only operate occasionally, these machines run continuously, meaning nearby communities will lose the peace of the neighborhood as long as these data centers operate.

[...] The United States does not lack flat, open land away from population centers on which to build data centers. However, AI hyperscalers prefer to locate their campuses near existing infrastructure so they don’t have to spend massive amounts of time and resources building everything from scratch. A few data centers are being built on former industrial sites, like shuttered factories and abandoned paper mills, but there are not enough of these around for the number of projects being proposed and built. As the negative effects of building these sites too close to population centers are slowly being revealed, we expect opposition to these projects to keep increasing.

Original Submission

Arthur T Knackerbracket writes:

Tiny molecules in the blood can strongly predict short-term survival in older adults:

As people get older, it can be difficult to tell who is likely to remain healthy and who may face a higher risk of serious decline. New research suggests that clues to that risk may already be present in the blood.

A study led by Duke Health, in collaboration with the University of Minnesota, found that small RNA molecules called piRNAs can help predict whether older adults are likely to live at least two more years.

Published in Aging Cell, the findings suggest that a simple blood test could eventually help doctors identify short-term survival risks earlier and guide strategies aimed at healthier aging.

“The combination of just a few piRNAs was the strongest predictor of two-year survival in older adults—stronger than age, lifestyle habits, or any other health measures we examined,” said Virginia Byers Kraus, M.D., Ph.D., senior author of the study and professor in the departments of Medicine, Pathology, and Orthopaedic Surgery at Duke University School of Medicine. “What surprised us most was that this powerful signal came from a simple blood test,” Kraus said.

The team analyzed piRNAs in blood samples from adults aged 71 and older and found that lower levels of certain piRNAs were closely associated with longer survival. Earlier studies have shown that these small RNA fragments help regulate development, regeneration, and immune activity.

[...] Older adults who survived longer consistently had lower levels of specific piRNAs, matching a pattern previously seen in simple organisms, where reducing these molecules can extend lifespan. Kraus said the results raise the possibility that piRNAs may play a direct role in longevity.

Arthur T Knackerbracket writes:

Fortunately, it happened early in the morning, so nobody was around:

At 5:26 am local time on August 10, 2025, a massive wedge of rock with a volume of at least 63.5 million cubic meters detached from a mountain above Alaska's Tracy Arm fjord. The falling rock plummeted into the deep waters at the terminus of the South Sawyer Glacier and caused an initial 100-meter-high breaking wave that tore across the fjord at speeds exceeding 70 meters a second. When this wave hit the opposite shoreline, it surged up the steep rocks to a height of 481 meters above sea level.

"It was the second highest tsunami ever recorded on Earth," says Aram Fathian, a researcher at the University of Calgary and co-author of a recent Science study that reconstructed this event in detail. "But until now, almost nobody heard about it because it was a near-miss event," he adds. There were no injuries or fatalities reported following the Tracy Arm fjord tsunami, mostly because it happened early in the morning. But we might not be so lucky next time.

Earthquake-generated tsunamis usually reach runup heights of a few tens of meters when they strike land. Landslide tsunamis, like the one that happened in Tracy Arm, are often more localized but also way more violent. When millions of tons of rock suddenly fall into a confined body of water like a narrow fjord, the variation in water depth and the direct displacement of the water column produce extremely high waves. Since 1925, scientists have documented 27 such events with runups exceeding 50 meters. The highest was the 1958 Lituya Bay tsunami, which reached 530 meters.

The source of the 2025 Tracy Arm tsunami was a steep rock wedge on the northern side of the fjord. Its headscarp, the uppermost boundary of a landslide or rockfall, sat roughly 1,025 meters above sea level. For centuries, the structural integrity of this slope was maintained by a massive wall of ice known as the South Sawyer Glacier. But South Sawyer, like many other glaciers in the Stikine Icefield, has been in a state of retreat due to the warming climate.

[...] Retrospective analysis of optical and radar satellite imagery from the weeks preceding the slide showed no visible tension cracks or major deformational scarring on the slope. From the outside, it looked perfectly sound. But deep within the rock, surfaces were already grinding. Regional seismometers registered localized repeating earthquakes beginning as early as August 5. By August 9, these mini earthquakes were happening once every hour. In the six hours leading up to the main failure, the gaps between these seismic signals shrank to between 30 to 60 seconds.

The cause of this uptick in microseismicity was the small patches of rock and ice snapping as a huge part of the cliff began to inch its way downward. About an hour before the landslide, the signals merged into a continuous, grinding slip. And then, the rock fell.

Arthur T Knackerbracket writes:

America's aging electric grid is struggling to meet modern demands—especially amid the AI boom. Overhauling it will be no small feat:

Most of America’s power grid infrastructure is 40 to 70 years old. That may not sound ancient, but modern-day pressures are exposing cracks in the system.

Across the nation, aging power systems are crumbling under the strain of the AI boom, extreme weather, and policy paralysis. In several regions, operating reserves are tightening, increasing the risk that supply could fall short during peak conditions when routine outages are factored in. As a result, consumers are grappling with rising utility costs and reduced reliability.

For this Giz Asks, we asked experts what it will take to modernize the U.S. power grid. They pointed to numerous challenges but also outlined clear ways to bring each component of this outdated system up to speed, from generation to distribution.

TFA presents answers from four experts on the challenges with generation, transmission, and distribution, and potential ways forward.

Original Submission

Bloomberg reports on a recent court decision in China.

The court decided that a tech firm in eastern China had illegally fired one of its workers after he refused to take a demotion when his job was automated by AI, according to a statement published by the Hangzhou Intermediate People's Court.

"The termination grounds cited by the company did not fall under negative circumstances such as business downsizing or operational difficulties, nor did they meet the legal condition that made it 'impossible to continue the employment contract,'" the court said in the article dated April 28. Companies cannot unilaterally lay off employees or cut salaries due to technological progress, the court said in a separate statement, citing the same case.

[...]

The employee at the center of the case, a quality assurance professional at a tech company identified only as Zhou, had been responsible for checking the accuracy of outputs by large language models, according to the filing. When an AI system took over his job, he was demoted and forced to take a 40% pay cut.

When Zhou refused the reassignment, the company terminated him, pointing to reductions in staffing due to AI. The case went to arbitration and then the Chinese court system, which supported a compensation package.

The ruling builds on a precedent set by another Chinese court in December, which found that AI implementation did not meet the necessary legal standard for a mapping company to terminate one of its employees' contracts.

Also at https://archive.ph/6tNRC.

If it didn't say China all over it, I would have guessed this court decision was in Europe(??).

Going back to a hypothetical situation from, say, 20 years ago, does anyone know what happened (in China) to a room full of lathe operators when the company bought a CNC lathe and a robot to load and unload the parts? I certainly don't recall reading about any court decisions supporting the machinists back then, perhaps because the Chinese economy was growing so fast that another job was easy to find?

Original Submission

"Fnord666" writes:

Subquadratic has launched a new AI architecture featuring a 12-million-token context window that outperforms GPT-5.5 on retrieval benchmarks:

Every frontier model in 2026 advertises a context window of at least a million tokens, but almost none of them are actually great at making use of all of that information. On MRCR v2, the multi-reference retrieval benchmark labs report, the best model is GPT-5.5, which scores 74.0%. Others like Claude Opus 4.7 at 32.2% are far behind.

At this point, a million tokens seems to be the maximum for the context window that the major frontier labs are offering. One major reason for the million-token max is the same one that has shaped every transformer-based model since 2017: Attention cost scales quadratically with context length, so doubling the input quadruples the work. Essentially, RAG, agentic decomposition, hybrid model architectures, and every other workaround the industry has built are ways of making tradeoffs to get around this.

Subquadratic, a Miami-based startup, launched its first model on Tuesday and claims it can get around all of this, now offering a model that can handle a token window of 12 million tokens. What's more, the company says it plans to offer a model with a 50-million-context window soon.

The company, which has 11 Ph.D. researchers on staff, argues that its architecture, called Subquadratic Selective Attention (SSA), scales linearly in both compute and memory with respect to context length. The company says it runs 52 times faster than dense attention at a million tokens, hits 92.1% on needle-in-a-haystack retrieval at 12 million tokens — a context length no frontier model currently gets close to — and scores 83 on MRCR v2, beating OpenAI by nine points.

[...] The quadratic cost of attention is obviously not a new problem, and SSA is not the first attempt to solve it. The research line goes back nearly to the original transformer paper, and the overall pattern has remained consistent. Every approach has traded one necessary property to gain another, and none have been able to replace dense attention at the frontier scale.

[...] DeepSeek's Native Sparse Attention won the ACL 2025 best paper award, for example. Its successor, DeepSeek Sparse Attention (DSA), is shipping in DeepSeek V3.2-Exp. DSA's lightning indexer routes attention to a small subset of selected keys, and the attention over those keys is genuinely sparse. The indexer that picks them, however, has to score every query against every key, meaning the selection step is itself quadratic.

SubQuadratic CTO Alex Whedon tells The New Stack, "Sparse attention basically means instead of doing what transformers do, which is if you have 1,000 words, you look at every possible relationship between all 1,000 words, which is 1,000 squared combinations. You realize that only a portion of those actually matter and you only process the portion that matter."

hubie writes:

SteamOS scared Microsoft into making Windows less like Windows:

For decades, if you wanted to game, you used Windows. I mean, you could use Linux or macOS, but game support was purely dependent on whether the developer took the time to create a native client for your operating system. And given how people on Linux and macOS were likely not gamers in the first place (given how they were on, you know, Windows), the sales weren't often worth the development time.

But then something clicked. Valve wanted to release a handheld console not too unlike the Switch, but for PC gaming. To do that, they needed an operating system. And while they could have just slapped Windows 11 on it and called it a day, they instead cooked up an operating system based on Arch Linux called SteamOS. And while the tides didn't turn immediately, it has gotten to the point where Microsoft is scared of losing its "best OS for gaming" title.

When Valve created SteamOS, it had the same problem that all Linux distros had. No matter how good SteamOS was, it was still at the mercy of people bothering to create a native app separate from the Windows one that ran on Linux. So, Valve decided to take the onus off the developers and instead create Proton, a compatibility layer.

With Proton, Linux distros could run Windows games without the developers needing to lift a finger. It's not perfect; in fact, there's an entire website called ProtonDB where people test out titles and share any grievances they have getting the game to work on their system. However, the cool thing about Proton being open-source was that people could fix the issues they were encountering and improve gaming for everyone.

The obvious benefit of Proton's advancement is that more Steam titles will run more smoothly on the Steam Deck. However, it also meant that desktop operating systems could run Windows games via Proton. People could tap into their Steam library on a Linux distro, and all was good.

And then Linux started winning.

Arthur T Knackerbracket writes:

https://scitechdaily.com/scientists-may-have-discovered-how-parkinsons-disease-spreads-through-the-brain/

New Yale School of Medicine (YSM) research suggests that two proteins on the surface of brain neurons involved in movement may play a key role in the progression of Parkinson’s disease.

Parkinson’s disease is a neurodegenerative disorder in which neurons gradually deteriorate and die. This cell loss is linked to the buildup of α-synuclein, a protein that becomes misfolded and can spread from one neuron to another.

Scientists still do not fully understand how α-synuclein moves between cells. A new study in Nature Communications points to two membrane proteins, mGluR4 and NPDC1, as important factors that help carry misfolded α-synuclein into healthy neurons after it is released by dying ones.

Senior author Stephen Strittmatter, MD, PhD, Vincent Coates Professor of Neurology and chair of the Department of Neuroscience at YSM, says the discovery could support the development of better Parkinson’s treatments.

Misfolded α-synuclein is “the pathologic hallmark of Parkinson’s disease,” he says. “If we understood how it gets into neurons, we could perhaps block or slow down the progression of the disease,” he adds. But to do that, “we need to understand the molecular mechanism of how it spreads.”

Neurodegenerative diseases, including Alzheimer’s and Parkinson’s, are becoming an increasing health concern in the United States. The Parkinson’s Foundation estimates that about 1.1 million people in the U.S. are currently living with Parkinson’s disease, with nearly 90,000 new diagnoses each year.

Parkinson’s disease often causes movement-related symptoms, including tremors, balance problems, and slower movement. These symptoms are tied to the accumulation of misfolded α-synuclein in motor-related brain cells. As the protein spreads from neuron to neuron, symptoms become worse.

One possible way α-synuclein enters new cells is by attaching to proteins on the cell surface. To test that possibility, Strittmatter and his colleagues generated 4,400 groups of cells, each designed to express different surface proteins, and examined whether any of them bound to misfolded α-synuclein.

Most of the surface proteins did not bind to it. However, 16 did, including two found in human dopamine neurons in the substantia nigra, the brain region that degenerates in Parkinson’s disease. The researchers found that these two proteins, mGluR4 and NPDC1, carried misfolded α-synuclein into cells.

The results led Strittmatter and his colleagues to suspect that mGluR4 and NPDC1 may help α-synuclein move between neurons. To investigate further, the researchers genetically engineered mice so that either mGluR4 or NPDC1 no longer functioned, then introduced misfolded α-synuclein.

hubie writes:

Removing the Modem and GPS from my 2024 RAV4 Hybrid:

Modern cars are computers on wheels - they have more sensors than you can count and are constantly phoning home with telemetry data like your location, speed, fuel levels, sudden accelerations/decelerations, video footage, driver attention data from eye monitoring systems, and hundreds of other data points. Cars have inward- and outward-facing cameras. They have microphones. They have always-on modems. It's all enabled by default with difficult or meaningless opt-outs, and your data is monetized through brokers like LexisNexis or Verisk. [...]

Now that we're sufficiently motivated, what can we do about it? In this blog post, rather than relying on companies' promises or meaningless opt-outs, we're going to stop the data at the source by physically removing the modem (the DCM, or Data Communication Module) as well as the built-in GPS on my 2024 RAV4 Hybrid, so the car will no longer have the capability to send any telemetry data back home. Let's dive in:

TFA follows with a step-by-step process to remove the DCM and replace it with a bypass module so that the in-car microphone is still functional, and to unplug the built-in GPS antenna.

Conclusion

Overall I'm very happy with this project. Unfortunately I think it's only a matter of time before the modem and GPS become more deeply integrated into the car (making this blog post infeasible), or cars have more drastic failure modes when the modem/GPS is removed, or anti-right-to-repair laws get passed to further clamp down on this behavior. For now the win stands - no telemetry leaves the car. Strong Federal privacy laws would make posts like this unnecessary, that's the world I'd rather live in.

Original Submission

An Anonymous Coward writes:

YellowKey exploit bypasses BitLocker full volume encryption via USB stick and WinRE

The Epitome of WTF: A researcher known as "Nightmare-Eclipse" recently released YellowKey, a security vulnerability that allegedly enables a full bypass of BitLocker's full-volume encryption. The researcher described YellowKey as one of the most "insane" flaws they have ever encountered and has also accused Microsoft of potentially embedding a legitimate backdoor in BitLocker's data protection system.

According to the researcher, YellowKey appears unusual for a previously unknown security bug. Nightmare-Eclipse explained that the flaw can be reproduced by copying an attached "FsTx" folder to a USB drive formatted with a Windows-compatible file system such as NTFS, FAT32, or exFAT.

The vulnerability may also work without a USB drive if the FsTx files are copied to the Windows EFI partition and the encrypted disk is temporarily disconnected from the system. After placing the FsTx folder, an attacker would need to reboot a BitLocker-protected machine, enter the Windows Recovery Environment, and follow a specific sequence of inputs.

If the procedure is completed correctly, a command shell reportedly appears, granting unrestricted access to BitLocker-protected volumes. No passwords are required, and the encrypted data may become fully accessible for browsing, copying, and other file operations.

Nightmare-Eclipse believes that YellowKey's vulnerability could reasonably be considered a backdoor intentionally introduced into BitLocker by Microsoft. Their reasoning is that the component triggering the issue can only be found in the official WinRE image. The same component is also present in standard Windows installation images, but it does not exhibit the BitLocker-bypassing behavior observed on live systems.

The researcher explained that they "just can't come up with an explanation beside the fact that this was intentional. Also for whatever reason, only windows 11 (+Server 2022/2025) are affect, windows 10 is not."

Third-party researchers have reportedly confirmed that YellowKey behaves as described by Nightmare-Eclipse in public GitHub materials. In addition, the researcher released a second exploit, GreenPlasma, which is said to enable privilege escalation. They did not publish full proof-of-concept code for achieving SYSTEM-level access, instead suggesting they may disclose further details ahead of next month's Patch Tuesday.

Nightmare-Eclipse is known for targeting Microsoft and the company's alleged hostility toward external security researchers. Previously operating under the alias "Chaotic Eclipse," they released Red Sun and other vulnerabilities with public proof-of-concept code, while accusing Microsoft of damaging their career and reputation.

As for YellowKey's alleged backdoor behavior, mitigation is relatively straightforward. Security professionals generally recommend avoiding reliance on any single encryption system and instead evaluating well-reviewed full-disk encryption alternatives such as VeraCrypt.

Original Submission

fliptop writes:

As a metric of just how much damage the push to "electrify" everything on wheels has caused [Ed's Comment: In the USA] , it's hard to surpass Honda CEO Toshihiro Mibe's announcement the other day that Honda – Honda! – suffered its first-ever money-losing year last year:

"The outlook is very challenging. However, we would like to explain the circumstances leading to this management decision and the future direction for rebuilding the mid-to long-term strategy for our automobile business," he said.

[...] Honda – like a number of other vehicle manufacturers that drank the EV Kool Aid – has cancelled several pending EVs that had been scheduled to make their debut this year, including the entire "0" series. It turns out zero will be made, which is better than zero dollars being earned (and many dollars probably lost).

"We made this decision with a heavy heart, believing that introducing these three models to market without an outlook for business viability may lead to an early discontinuation of production, which could cause a concern and inconvenience to our customers as a result of potential damage to the value of the Honda brand."

The Prologue – Honda's first EV – is also the first Honda to be cancelled after just three years of availability. It ought never to have seen the light of day – and not just because it's another over-priced ($40k to start) crossover that goes half as far as $25k gas-engined crossovers and tethers its owner to a charge cord – but also because it wasn't even a Honda. It was a reskinned Chevy Blazer EV, with some trim/feature tweaks. This saved Honda some money, by not wasting it on R&D'ing its own EV – but it also arguably damaged Honda's brand, something far more costly.

Previously:

• Honda Hits Brakes On EV Rollout Amid Rising Losses
• Honda Shows Low Speed, Narrow BEV for City Delivery
• Honda and LG are Investing $3.5 Billion in New Ohio Battery Factory

Original Submission

Arthur T Knackerbracket writes:

https://www.slashgear.com/2166169/why-european-cars-cant-use-american-engine-oil/

If you plan to import a car from Europe, you'll need to make some adjustments. In the case that you get it from one of the countries that manufactures right-side driving cars, you'll certainly need to adjust your orientation behind the wheel. You will also likely need to change the engine oil you are using, as you shouldn't use U.S. engine oil on European cars.

European cars and their engines differ in the type of oil they need, and different agencies specify which types of oil can be used. While specifications from the American Petroleum Institute (API) are largely shaped by engine health and performance, specifications from the European Automobile Manufacturers Association (ACEA) are more focused on environmental concerns and meeting emissions regulations.

This leads to several key differences between European and American engine oil. In general, European engine oil is designed to protect better under extreme temperatures. European engines are also generally designed to go longer without an oil change than American engines, meaning engine oil has to be formulated in a way that prevents sludge deposits from building up over a longer period.

European countries also have a lot more diesel-powered vehicles, with diesel particulate filters (DPF) and catalysts installed to help prevent pollution. The ACEA specifies how much sulfated ash, phosphorus, and sulfur (SAPS) should be in engine oil, as too much of these substances can damage these sensitive components. To further complicate matters, certain European manufacturers like Porsche and Volkswagen have their own specifications for which type of engine oil you should use.

If you suspect you used the wrong engine oil, it's a good idea to get your vehicle checked by someone that can drain the oil and replace it with the correct one for your engine. You want to make sure you are not only meeting your European car's baseline specifications, but also one that meets the model's specific standards for optimal engine health and performance. If you act quickly, you can avoid doing permanent damage to the engine.

Original Submission

An Anonymous Coward writes:

https://aisle.com/blog/aisle-discovers-cve-2026-42511-a-21-year-old-freebsd-remote-command-execution-vulnerability

FreeBSD is often described as one of the most secure operating systems in the world, with its reputation arising from its high-quality networking stack, deliberate engineering, and a philosophy of security through simplicity. FreeBSD's history and usage are remarkable: it powers Netflix's Open Connect infrastructure, Sony's Playstation OS, part of Nintendo's Switch OS, Yahoo's backend services, NetApp's storage systems, Citrix's Netscaler, has long helped form the software base of major networking platforms (Cisco, Juniper, and so on), WhatsApp's backend services (historically), and is now the focus of a substantial Foundation effort to make it work better on modern laptops, and, for full disclosure, remains the author's personal operating system of choice.
CVE-2026-42511: Command Injection to Root RCE

AISLE discovered a remote command execution vulnerability in FreeBSD's dhclient, that is trivially weaponizable and wormable by any system on the same local network as the FreeBSD system. The vulnerability first entered FreeBSD in the 2005 release of FreeBSD-6.0 when OpenBSD's dhclient was imported, and lay dormant until discovered by AISLE. The vulnerability also affected OpenBSD until 2012, when that operating system deprecated dhclient-script completely, effectively fixing the vulnerability.

The initial flaw was identified by AISLE's AI-based source code analysis pipeline and then investigated by our triage agents. Joshua Rogers of AISLE's Offensive Security Research Team traced the relevant code paths, established the full security impact, and developed a proof of concept demonstrating a complete local-network-to-root exploit chain.

Recently budgeting $750,000 for key improvements to laptop support including greater Wi-Fi support, the attack surface here becomes even more relevant to everyday systems. A malicious wireless access point, or in some cases another attacker on the same Wi-Fi network able to spoof DHCP, can target the exact DHCP path that almost every wireless FreeBSD system will rely on. Imagine you're the author of this post, who runs FreeBSD on their laptop: you're at a coffee shop, airport, or hotel, and as soon as you connect your FreeBSD-equipped laptop to the Wi-Fi, your whole system is hijacked in secret. Imagine you have a PlayStation whose OS is locked down from any unofficial access, only to be jailbroken hijacked by connecting to a network. In other words, this vulnerability not only affects servers, but any FreeBSD machine that connects to a network using DHCP.

The vulnerability was a logic flaw that allowed attacker-controlled protocol data to be persisted into a trusted configuration-like format without proper sanitization, then later reinterpreted in a privileged execution path. That is exactly the kind of bug AISLE's autonomous security platform is built to find. Like our recent findings in OpenSSL, Firefox, libpng, and Amazon's Crypto Stack, this result came from disciplined engineering and end-to-end analysis, not model mythology.

Original Submission

An Anonymous Coward writes:

It's not much cheaper than an equivalent laptop, so who's this for, exactly?

The early history of personal computers is stacked with systems such as the Apple II and the Commodore 64 that had the components living inside a keyboard. But as technology evolved, the keyboard became a peripheral and the PC itself was either in a separate box or the whole system was a laptop.

Now, HP has a new spin on this decades-old idea. It embeds a full-fledged AI PC inside a 101-key keyboard you can carry with you from the office to home.

Unlike '80s microcomputers or hobbyist-oriented products like the Raspberry Pi 500, the EliteBoard G1a is squarely targeted at business. The system is part of HP's commercial lineup, alongside its EliteBook laptops, and, for better or worse, it comes with HP Wolf Security preinstalled. The company clearly hopes organizations will buy these in bulk. But to benefit from it, you really have to prefer a mobile keyboard to a traditional laptop, all money aside.

When we talked with product managers at HP, they suggested IT departments would buy these computers for two types of workers.

The first group is so-called "dual deskers" - knowledge workers who have a desk with a monitor at work and another at home. The second group includes deep-pocketed call centers or environments where desk space is at a premium.

From time immemorial, dual-deskers have carried laptops and closed their lids when they docked to a monitor at work. With the EliteBoard, they could simply schlep the keyboard, which weighs a mere 1.49 pounds – about half the weight of a lightweight laptop. To make this situation work in companies with managed systems, we have to assume that either the IT department would give out monitors to use at home or offer some reason (a subsidy? a mandate?) for employees to buy their own for home.

The EliteBoard connects to monitors using its USB4 port, so its ideal monitor is one that has Thunderbolt or USB video connectivity built in. Less-expensive and older monitors don't have this type of connectivity, but select configs of the EliteBoard come with an optional USB-to-HDMI adapter that you can use with other monitors, and it has a USB pass-through for power. That said, HP demonstrated the EliteBoard at numerous press events by showing how much desk space it saves by using a single USB cable to get power, video out, and connectivity to peripherals via the monitor. So if companies want employees to be able to take advantage of this scenario at home, that means shelling out another few hundred bucks for a modern monitor, or making employees do it.

Today, companies with limited desk space for a call center or another cramped work area could just buy a tiny desktop to sit behind the monitor or next to it. However, building all of the PC's guts into the keyboard makes a lot of sense for space savers, because a keyboard is something every PC needs and a desktop chassis is not. If a company wanted to, it could give each employee their own EliteBoard, have them plug it into a monitor during work time and then have them stick it in a drawer when they go off shift and someone else comes on.

Long article continues here.

Original Submission