Daily Archives: August 3, 2022

Toyota and Woven Planet Have Developed a New Portable Hydrogen Cartridge Prototype

Posted on by

TOYOTA MOTOR CORPORATION (“Toyota”) and its subsidiary, Woven Planet Holdings, Inc. (“Woven Planet”), have developed a working prototype of its portable hydrogen cartridge. This cartridge design will facilitate the everyday transport and supply of hydrogen energy to power a broad range of daily life applications in and outside of the home. Toyota and Woven Planet will conduct Proof of Concept (“PoC”) trials in various places, including Woven City, a human-centered smart city of the future currently being constructed in Susono City, Shizuoka Prefecture.

Portable Hydrogen Cartridge (Prototype)
Portable Hydrogen Cartridge (Prototype)*1

[…]

Together with ENEOS Corporation, Toyota and Woven Planet are working to build a comprehensive hydrogen-based supply chain aimed at expediting and simplifying production, transport, and daily usage. These trials will focus on meeting the energy needs of Woven City residents and those living in its surrounding communities.

Benefits of Using Hydrogen Cartridges

  • Portable, affordable, and convenient energy that makes it possible to bring hydrogen to where people live, work, and play without the use of pipes
    • Prototype dimensions
      400 mm (16″) in length x 180 mm (7″) in diameter
    • Target weight
      5 kg (11 lbs)
  • Swappable for easy replacement and quick recharging
  • Volume flexibility allows for a broad variety of daily use applications*2
  • Small-scale infrastructure can meet energy needs in remote and non-electrified areas and be swiftly dispatched in the case of a disaster

Next Steps for the Hydrogen Cartridge

[…]

Our goal is to help hydrogen become commonplace by making this clean form of energy safe, convenient, and affordable. By establishing the underlying supply chain, we hope to facilitate the flow of a larger volume of hydrogen and fuel more applications. Woven City will explore and test an array of energy applications using hydrogen cartridges including mobility, household applications, and many future possibilities we have yet to imagine. Together with inventors and those living within and around Woven City, we will continue to advance mobility over time by constantly developing more practical applications for hydrogen cartridges. In future Woven City demonstrations, we will continue to improve the hydrogen cartridge itself, making it increasingly easy to use and improving the energy density.

Hydrogen Cartridge Applications (Image)
Hydrogen Cartridge Applications (Image)

The ultimate goal of this project is to realize a carbon-neutral society where everyone can access clean energy, first in Japan and then throughout the world. Toyota and Woven Planet aim to develop best practices for incorporating clean hydrogen energy into daily life by conducting human-centered demonstrations in and around Woven City. These real-life experiences will help us learn how to best transform hydrogen into a familiar, well-used, and well-loved form of energy.

The portable hydrogen cartridge prototype will be showcased at Super Taikyu Series 2022 Round 2 at Fuji SpeedWay from June 3 to 5, 2022*3. Our showcase is geared toward teaching people about how hydrogen energy works and helping them imagine the countless ways hydrogen can become a useful part of their daily lives.

Source: Toyota and Woven Planet Have Developed a New Portable Hydrogen Cartridge Prototype | Corporate | Global Newsroom | Toyota Motor Corporation Official Global Website

Solana ‘hot’ wallets are being drained in multi-million dollar attack

Posted on by

An unknown actor has drained over 8,000 internet-connected wallets in an ongoing attack on the Solana blockchain ecosystem. According to Blockchain auditor OtterSec, the attacks were still ongoing when it posted an update in the evening of August 2nd and that they had affected multiple wallets, including Phantom, Slope, Solflare and TrustWallet, across a wide variety of platforms.

As TechCrunch notes, the bad actor seems to have stolen both Solana tokens and USDC stablecoins, with the estimated losses so far amounting to around $8 million. OtterSec is now encouraging users to move all their assets to a hardware wallet, and the Solana Status Twitter account echoed that advice, adding that there’s no evidence “cold” wallets have been impacted.

The Solana Status account has also revealed that an exploit allowed a malicious actor to drain funds from the compromised wallets and that it seems to have affected both their mobile versions and extensions. Engineers from multiple ecosystems have already banded together to work with security researchers to identify the root cause of the exploit, which is yet to be discovered.

[…]

Source: Solana ‘hot’ wallets are being drained in multi-million dollar attack | Engadget

WhatsApp boss says no to AI filters policing encrypted chat

Posted on by

Will Cathcart, who has been at parent company Meta for more than 12 years and head of WhatsApp since 2019, told the BBC that the popular communications service wouldn’t downgrade or bypass its end-to-end encryption (EE2E) just for British snoops, saying it would be “foolish” to do so and that WhatsApp needs to offer a consistent set of standards around the globe.

“If we had to lower security for the world, to accommodate the requirement in one country, that … would be very foolish for us to accept, making our product less desirable to 98 percent of our users because of the requirements from 2 percent,” Cathcart told the broadcaster. “What’s being proposed is that we – either directly or indirectly through software – read everyone’s messages. I don’t think people want that.”

Strong EE2E ensures that only the intended sender and receiver of a message can read it, and not even the provider of the communications channel nor anyone eavesdropping on the encrypted chatter. The UK government is proposing that app builders add an automated AI-powered scanner in the pipeline – ideally in the client app – to detect and report illegal content, in this case child sex abuse material (CSAM).

[…]

Source: WhatsApp boss says no to AI filters policing encrypted chat • The Register

They always trot out sex abuse and children when they want to impair your freedoms.

Nomad Bridge Hack Allowed ‘Mob’ to Drain $190m in Crypto

Posted on by

As evidenced by its namesake, apparently there wasn’t much security stopping a hoard of wandering strangers from breaking into the Nomad DeFi project’s token bridge, allowing hundreds of unknown hackers and some users to walk away with over $190 million crypto, leaving behind a bare pittance in the project’s wallet.

Late on Monday, users started noticing tokens being extracted from Nomad’s accounts “in million-dollar increments.” Crypto security company CertiK confirmed in a Tuesday analysis that the bridge protocol, which allows users to send tokens between separate blockchains, had been breached thanks to a routine upgrade that allowed bad actors to skip verification messages. CoinTelegraph reported that the first transaction, likely the initial hacker, managed to remove about $2.3 million in crypto from the bridge.

Apparently, this breach further allowed other users to exploit the bridge, turning it essentially into a Black Friday-esque free-for-all. CertiK’s analysis further said the vulnerability was in the token bridge’s initialization process, introduced in the flawed upgrade, allowing users to copy and paste the original hackers transaction number and replace it with a personal one. Researchers said in just four hours, other hackers, bots, and even community members drained the protocol in a “frenzied mob.”

The crypto developer who goes by Foobar on Twitter wrote that this attack was “the first decentralized crowd-looting of a 9-figure bridge in history.” There are hundreds of addresses that show they’ve received tokens from the bridge during the exploit.

Some users have actually gone back to the protocol, hanging their heads in shame and offering to return the stolen funds. Some claimed it was “an accident,” while others said they were trying to protect their friend’s assets, according to screenshots posted by Foobar. DefiLlama shows that the current value of the blockchain is sitting at just a little under $16,000.

[…]

Source: Nomad Bridge Hack Allowed ‘Mob’ to Drain Millions in Crypto

NASA Is Changing Its Rules for Private Astronauts

Posted on by

As more private astronauts venture out into space, NASA is seeking to better regulate their journeys to Earth orbit. The space agency recently announced some updates to the set of rules required for upcoming private astronaut missions, including the stipulation that all future missions be led by a former NASA astronaut.

NASA released the list of updated rules on Monday, which will be documented as part of the Private Astronaut Mission Authorization, Coordination, and Execution (PACE) Annex 1. The updates are “lessons learned” from the first private astronaut mission to the ISS, in which Axiom space sent four astronauts to the ISS in April. Axiom Mission 1 (Ax-1) was led by former NASA astronaut Michael López-Alegría, but the new requirements now call for all future missions to be led by a former NASA astronaut. For these missions, the NASA astronaut will serve as the mission commander and provide guidance “during pre-flight preparation through mission execution.”

Axiom Space was planning on sending future missions without a NASA astronaut and have four paying customers instead of three, according to SpaceNews. It’s not yet clear how the new rules will affect the private space company’s original plan to launch private missions without a NASA astronaut in command.

[…]

Source: NASA Is Changing Its Rules for Private Astronauts

AI-friendly patent law needed for ‘national security’ argued in US Chamber of Commerce

Posted on by

America urgently needs to rewrite its patent laws to recognize modern artificial intelligence technologies, business and IP leaders have said.

This sentiment emerged from a series of hearings organized by the US Chamber of Commerce, during which experts from academia, industry, and government were invited to speak. The meetings, held last month, raised important questions plaguing the development of state-of-the-art AI models: should AI algorithms be patentable? And, separately, should these systems be granted patent rights for inventions they help create?

Today’s IP laws are outdated, it was argued. The rules dictating what types of innovations can be patented have stayed largely untouched since the historic Patent Act of 1793. Although the law is broad and states “any new and useful art, machine, manufacture or composition of matter, or any new and useful improvement on any art, machine, manufacture or composition of matter” is potentially patentable, there other conditions that make it difficult to patent things like machine-learning models.

Patents are only useful if they provide clear scientific and economic benefits to the country, the group argues. It’s why the Patent Act states that descriptions of the inventions should “enable any person skilled in the art or science, of which it is a branch, or with which it is most nearly connected, to make, compound, and use the same.” That means someone suitably skilled should be able to take a patent text and diagrams, understand what’s going on, and reproduce the technology themselves.

But take a system with a trained neural network. That collection of weights and values that mysteriously turns input data into output predictions is opaque and hard to interpret: experts often don’t quite know why a model behaves the way it does, which makes explaining its inner workings in a patent difficult.

Well, OK, let’s just say the patent explains how to train the neural network to produce the same results, thus allowing the invention to be recreated. But reproducibility is notoriously difficult in machine learning. You need access to the training data and other settings to recreate it. That becomes problematic if the data is medical or personal info, or proprietary, because it would need to be made public as part of the patent filing, and not all the necessary settings and tweaks may be disclosed in an application.

Patent examiners, therefore, may struggle with patent applications of AI technology, and reject submissions, if they find the text is confusing, or not interpretable or reproducible. Thus, changes are needed in the law to allow machine-learning systems to be accepted as novel inventions, it was argued. And being able to patent and protect these inventions encourages businesses to build commercial products, we’re further told. Everyone gets to see the progression of tech and science, and inventors are granted rights to their specific part of it.

It is absolutely crucial, and it is a matter of immediate national security

“The patent code that [our founders] put in place was fantastic, however they did not anticipate DNA processing, artificial intelligence, cryptography, software code, and all of the modern technologies of the next industrial revolution,” Andrei Iancu, former Under Secretary of Commerce for Intellectual Property and ex-Director of the United States Patent and Trademark Office (USPTO), said in a Chamber of Commerce statement on Monday.

Rejecting AI patents, however, we’re told, will keep knowledge of the latest commercial applications of the technology from the public and hamper innovation.

“So, to say that the patent system, at least from that perspective, needs to modernize is an understatement. It is absolutely crucial, and it is a matter of immediate national security,” Iancu added.

The chamber noted China has surpassed the US in the number of international patent filings in 2019 and in 2020. If America is to hold a leadership position in AI, its leaders need to treat IP, such as machine learning breakthroughs, as a national asset, Brian Drake, federal chief technology officer at Accrete AI Government, a company focused on building enterprise-level AI applications, asserted.

Because for one thing, he said, rival nations are pouring all their energies into developing machine-learning technology to use against the United States of America.

“I’m talking about all the instruments of national power from our adversaries being directed at all of our national security instruments and economic power centers. That means their intelligence apparatuses, that means their direct and indirect funding apparatuses, that means their commercial military integration activities. All of those are being directed toward artificial intelligence. And make no mistake, it is about winning the future war,” Drake said.

Most experts agree AI algorithms should be patentable, but whether patent authorship or ownership rights should be given to machines that produce technologies, however, is debatable. Current IP laws do not recognize non-human entities as inventors, meaning machine-learning systems cannot be recognized as such.

Stephen Thaler, founder of Imagination Engines, a company in Missouri, who applied in 2019 for two US patents which listed his machine named DABUS as the inventor, found this out the hard way when his applications were rejected by the US Patent and Trademark Office.

Thaler believes there is good reason to give machines at least authorship rights, as it would discourage humans from stealing computers’ ideas and profiting from them – the originator would be on record in the patent office – he previously told The Register. But it’s not clear that there is any practical use in recognizing software as inventors yet, considering they have no agency or capabilities to sue for infringement unlike humans.

“To summarize, we cannot sustain innovation around AI without robust and reliable IP rights, which are essential to the prosperity of our innovative nation,” Christian Hannon, a patent attorney serving in the Office of Policy and International Affairs at USPTO, said. “To grow our economy and stay globally competitive, we must promote invention and patenting more than ever.”

The US Chamber of Commerce, one of the largest largest lobbying organizations in America, is planning to publish later this year a final report from its hearings, issuing recommendations for policy changes the US government can enact

VMware patches critical admin authentication bypass bug

Posted on by

VMware has fixed a critical authentication bypass vulnerability that hits 9.8 out of 10 on the CVSS severity scale and is present in multiple products.

That flaw is tracked as CVE-2022-31656, and affects VMware’s Workspace ONE Access, Identity Manager, and vRealize Automation. It was addressed along with nine other security holes in this patch batch, published Tuesday.

Here’s the bottom line of the ‘31656 bug, according to VMware: “A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.” Quite a nice way to get admin-level control over a remote system.

The critical vulnerability is similar to, or perhaps even a variant or patch bypass of, an earlier critical authentication bypass vulnerability (CVE-2022-22972) that also rated 9.8 in severity and VMware fixed back in May. Shortly after that update was issued, CISA demanded US government agencies pull the plug on affected VMware products if patches can’t be applied.

While the virtualization giant isn’t aware of any in-the-wild exploits (so far at least) of the newer vulnerability, “it is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments,” VMware warned in an advisory. “If your organization uses ITIL methodologies for change management, this would be considered an ’emergency’ change.”

In addition to the software titan and third-party security researchers urging organizations to patch immediately, Petrus Viet, the bug hunter who found and reported the flaw, said he’ll soon release a proof-of-concept exploit for the bug. So to be perfectly clear: stop what you are doing and immediately assess and if necessary patch this flaw before miscreants find and exploit it, which they are wont to do with VMware vulns.

Tenable’s Claire Tills, a senior research engineer with the firm’s security response team, noted that CVE-2022-31656 is especially worrisome in that a miscreant could use it to exploit other bugs that VMware disclosed in this week’s security push.

“It is crucial to note that the authentication bypass achieved with CVE-2022-31656 would allow attackers to exploit the authenticated remote code execution flaws addressed in this release,” she wrote.

She’s referring to two remote code execution (RCE) flaws, CVE-2022-31658 and CVE-2022-31659, also discovered by Petrus Viet that would allow an attacker with admin-level network access to remotely deploy malicious code on a victim’s machine. Thus someone could use the ‘31656 to login with administrative powers, and then exploit the other bugs to pwn a device.

Both of these, ‘31658 and ‘31659, are dubbed “important” by VMware and ranked with a CVSS score of 8.0. And similar to the critical vuln that can be used in tandem with these two RCE, both affect VMware Workspace ONE Access, Identity Manager and vRealize Automation products.

In other patching news, the rsync project released updates to fix a vulnerability, tracked as CVE-2022-29154, that could allow miscreants to write arbitrary files inside directories of connecting peers.

Rsync is a tool for transferring and syncing files between remote and local machines, and exploiting this vulnerability could allow “a malicious rysnc server (or Man-in-The-Middle attacker) [to] overwrite arbitrary files in the rsync client target directory and subdirectories,” according to researchers Ege Balci and Taha Hamad, who discovered the bug.

That means a malicious server or MITM could overwrite, say, a victim’s ssh/authorized_keys file.

While these three VMware vulns deserve top patching priority, there are some other nasty bugs in the bunch. This includes three local privilege-escalation vulnerabilities (CVE-2022-31660, CVE-2022-31661 and CVE-2022-31664) in VMware Workspace ONE Access, Identity Manager, and vRealize Automation.

All three received CVSS scores of 7.8 and successful exploits would allow criminals with local access to escalate privileges to root — and from there, pretty much do whatever they want, such as steal information, install a backdoor, inject a trojan, or shut down the system entirely.

[…]

Source: VMware patches critical admin authentication bypass bug • The Register

New Gmail Attack Bypasses Passwords And 2FA To Read All Email in browser extension

Posted on by

According to cyber security firm Volexity, the threat research team has found the North Korean ‘SharpTongue’ group, which appears to be part of, or related to, the Kimsuky advanced persistent threat group, deploying malware called SHARPEXT that doesn’t need your Gmail login credentials at all.

Instead, it “directly inspects and exfiltrates data” from a Gmail account as the victim browses it. This quickly evolving threat, Volexity says it is already on version 3.0 according to the malware’s internal versioning, can steal email from both Gmail and AOL webmail accounts, and works across three browsers: Google GOOG +1.9% Chrome, Microsoft MSFT +1.5% Edge, and a South Korean client called Whale.

CISA says Kimsuky hackers ‘most likely tasked by North Korean regime’

The U.S. Cybersecurity & Infrastructure Security Agency, CISA, reports that Kimsuky has been operating since 2012, and is “most likely tasked by the North Korean regime with a global intelligence gathering mission.”

While CISA sees Kimsuky most often targeting individuals and organizations in South Korea, Japan, and the U. S., Volexity says that the SharpTongue group has frequently been seen targeting South Korea, the U. S. and Europe. The common denominator between them is that the victims often ” work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea.”

The report says that SHARPEXT differs from previous browser extensions deployed by these hacking espionage groups in that it doesn’t attempt to grab login credentials but bypasses the need for these and can grab email data as the user reads it.

The good news is that your system needs to be compromised by some means before this malicious extension can be deployed. Unfortunately, we know all too well that system compromise is not as difficult as it should be.

[…]

Source: New Gmail Attack Bypasses Passwords And 2FA To Read All Email