The Colonial Pipeline cyberattack has spurred new efforts in the U.S. Congress "to require critical companies to tell the government when they've been hacked." Politico reports: Even leading Republicans are expressing support for regulations after this week's chaos — a sharp change from past high-profile efforts that failed due to GOP opposition. The swift reaction from lawmakers reflects the disruptive impact of the ransomware attack on Colonial...

The vast majority of private companies don't have to report cyberattacks to any government entity — not even those, like Colonial, whose disruptions can wreak havoc on U.S. economic and national security. And often, they choose to keep quiet. That information gap leaves the rest of the country in the dark about how frequently such attacks occur and how they're perpetrated. It also leaves federal authorities without crucial information that could help protect other companies from similar attacks. Without reporting from companies, "the United States government is completely blind to what is happening," Brandon Wales, the acting director of DHS' Cybersecurity and Infrastructure Security Agency, told reporters on Thursday. "That just weakens our overall cyber posture across our entire country."

Wales said the solution was for Congress to require companies to report cyber incidents. Lawmakers of both parties told POLITICO they are crafting legislation to mandate cyberattack reporting by critical infrastructure operators such as Colonial, along with major IT service providers and any other companies that do business with the government. The planned legislation predates the pipeline attack — lawmakers began drafting it soon after learning about last year's massive SolarWinds espionage campaign, in which suspected Russian hackers infiltrated nine federal agencies and roughly 100 companies. But the Colonial strike has added urgency to the effort. The group expects to introduce the legislation within weeks, a Senate aide said. "You couldn't have a better reason" for such a mandate than seeing the economic impact of Colonial and SolarWinds, said Senate Intelligence Chair Mark Warner (D-Va.), one of the leaders of the legislation along with Republican Sen. Marco Rubio of Florida.

Warner said the intent is to provide a "public-private forum where, with appropriate immunity and confidentiality, you can — mid-incident — report, so we can make sure that it doesn't spread worse..." In the case of Colonial, CISA's Wales said the company did not provide the administration with technical information about the breach until Wednesday night — five days after it was reported — and even then the data was not comprehensive... Companies typically choose not to voluntarily share data with the government for legal and reputational reasons. They fear that the notoriously leak-prone government won't protect their information, leading to embarrassing and potentially actionable revelations.
Politico adds that "The incident reporting situation has become untenable, many cybersecurity experts say,"

"Nation-state hackers are using vulnerable companies as springboards into their customers and partners, and criminal groups are attacking hospitals, schools and energy companies in ways that, if reported, could be tracked and prevented elsewhere."

RockDoctor (Slashdot reader #15,477) writes: For a number of years the administrative process for giving asteroids names has had a worsening logjam. Important or "interesting" bodies (such as `Oumuamua, the first definitely interstellar object identified) would still get names rapidly assigned, but in the background myriads of unspectacular objects would persist with "names" based on their discovery date like "1981 GD1". Which is adequate for managing databases, but less than satisfactory for most humans.

A new publication from the "Working Group for Small Body Nomenclature", combines what used to be several steps into one stage. So now one can easily find that "1981 GD1" has the name "Rutherford", to commemorate one of the major scientists of the 20th century.

No doubt there will be complaints of an over-concentration on figures from Classical legend (22 of 179 names assigned), but eventually that mine will play out. Professional and amateur astronomers (34 and 30 names) are, unsurprisingly, the largest groups commemorated. Other scientists get a good showing (16, Rutherford included), along with memorials to teachers, observatories and universities. One architect and one astronaut (there isn't a bar on memorialising living persons) also get mentions, and modest numbers of sports stars, musicians and other cultural figures pad out the list. Chinese, Japanese and Taiwanese contributors have a significant input to this batch, along with a number of South American contributions and a fair number from smaller countries (Paul Erdos, for example, in the {dead+ white+ mathematical eccentrics} category). And one entry which I can only class as a joke — 1990 QX19 gets a name which should have been used years ago. Obviously you'll need to RTFA to see the joke, but RTFA-ing is an un-Slashdot activity.

Future numbers of the Bulletin will publish new batches of assigned names, and work away on the backlog. You still need to be the discoverer of a "small body" to submit a name proposal, but that step of the process is also under review. With about 22,000 of the currently-recognised million-plus objects with well-characterised orbits, there is no realistic prospect of running out any time soon — they are being found faster than they get named. But eventually you too could name a pathetic little mudball for someone you despise. Won't that be fun?

"Chinese technology provider Huawei was recently accused of being able to monitor all calls made using Dutch mobile operator KPN," writes the Conversation. Long-time Slashdot reader schwit1 shares their report: The revelations are from a secret 2010 report made by consultancy firm Capgemini, which KPN commissioned to evaluate the risks of working with Huawei infrastructure. While the full report on the issue has not been made public, journalists reporting on the story have outlined specific concerns that Huawei personnel in the Netherlands and China had access to security-essential parts of KPN's network - including the call data of millions of Dutch citizens - and that a lack of records meant KPN couldn't establish how often this happened... KPN essentially granted Huawei "administrator rights" to its mobile network by outsourcing work to the Chinese firm.

Legislation is only now catching up to prevent similar vulnerabilities in telecoms security...

Lower revenues force operators to carefully manage costs. This means that operators have been keen to outsource parts of their businesses to third parties, especially since the late 2000s. Large numbers of highly skilled engineers are an expensive liability to have on the balance sheet, and can often appear underused when things are running smoothly... , outsourcing by mobile operators is widespread. And firms in the UK and across Europe have often turned to Huawei to provide IT services and to help build core networks.

In 2010, Huawei was managing security-critical functions of KPN's core network.

A newspaper in Austin, Texas shares the story behind a cult-classic videogame, the 1985 Macintosh shareware game "Cap'n Magneto."

It was the work of Al Evans, who'd "decided to live life to the fullest after suffering severe burn injuries in 1963" at the age of 17. Beneath the surface, "Cap'n Magneto" is a product of its creator's own quest to overcome adversity after a terrible car crash — an amalgamation of hard-earned lessons on the value of relationships, being an active participant in shaping the world and knowing how to move on... "Whether I was going to survive at all was very iffy," Evans said. "The chance of me living to the age of 28 or 30 was below 30% or something like that." Regardless of how much time he had left, Evans said he refused to let his injuries hold him back from living his life to the fullest. He would live his life with honesty, he decided, and do his best to always communicate with others truthfully. "I wasn't going to spend the next two years of my life dorking around different hospitals. So I said what's the alternative?" Evans said...

To float his many hobbies and interests, however, Evans knew he had to make money. In addition to doing work as a graphic designer and a translator, he picked up computer programming, which opened his eyes to a digital frontier that allowed for the creation of new worlds with the stroke of a keyboard. When he realized the technical capabilities of the Macintosh — the first personal computer that had a graphics-driven user interface and a built-in mouse function — Evans said he set out to build a world that could marry storytelling and graphics. With the help of his wife Cea, Evans created his one and only computer game: "Cap'n Magneto."

"I really wanted to write a good game, and I definitely think it was that," Evans said...

Australia-based gaming historian, author and journalist Richard Moss says, "What really marked it as different, though, was that the alien speech, once ungarbled by a tricorder item that players had to find, would be spoken aloud through the Mac's built-in speech synthesizer and written on-screen in comic-style speech bubbles," Moss said. "And unlike most role playing games of the time, every character you'd meet in the game could be friendly and helpful or cold and dismissive or aggressive and hostile — depending on a mix of random chance and player choice...."

With "Cap'n Magneto," Evans said he wanted to make sure that players could befriend the non-playable alien characters that the hero encounters. Though the game is beatable without their help, it is significantly easier with the help of allies. A reality in which everyone was an enemy, to Evans, was simply dishonest.

"That doesn't reflect the game of life, you know? Some people, well, most people actually, are probably pretty friendly," he said.
35 years after its release, Evans — now 75 years old — received a message on Facebook informing him that the game was still being played — but no one could finish it because the built-in "nagware" required payments that couldn't be completed.

That problem has finally been fixed, and long-time Slashdot reader shanen now shares the web site where the full game can finally be downloaded.

Slashdot reader storagedude writes: The MITRE cybersecurity product evaluations use adversarial attack techniques instead of basic malware samples, and as a result are the best tests of enterprise security products — particularly in light of dramatic recent attacks on SolarWinds and Colonial Pipeline.

What's especially interesting is just how well first-generation antivirus vendors like Symantec, McAfee and Trend Micro have fared in the MITRE tests. An eSecurity Planet article analyzes the data and speculates on why the old guard may have a built-in advantage over the hot upstarts:

"They may have been overshadowed in recent years by some of the flashy marketing of the upstarts, but that long history gives the old guard a product depth that's tough to beat," eSecurity Planet wrote. "Just one example: Symantec was prepared for last year's SolarWinds hack because it long ago faced attacks when hackers tried to disable endpoint agents, a primary vector for the Sunburst malware.

"In cybersecurity, experience still counts for something."

ITWire reports on how Norwegian firm Volue Technology handled a ransomware attack that began on May 5th: The company has set up a Web page with information about the attack and also links to frequent updates about the status of its systems. There was no obfuscation about the attack, none at all. The company said: "The ransomware attack on Volue Technology ('Powel') was caused by Ryuk, a type of malware usually known for targeting large, public-entity Microsoft Windows systems."

What is even more remarkable about this page is that it has provided the telephone number and email address of its chief executive, Trond Straume, and asked for anyone who needs additional information to contact him. Not some underling.
ITWire argues this response "demonstrated to the rest of the world how a ransomware attack should be handled."

xanthos (Slashdot reader #73,578) writes: Our friends over at The Register are reporting a zero day vulnerability for one of the earliest modern computer architectures.

Pontus Johnson, a professor at the KTH Royal Institute of Technology in Stockholm, Sweden, has published what amounts to a sql injection attack on the 1967 implementation of the simulated Universal Turing Machine (UTM) designed by the late Marvin Minsky. The exploit allow an arbitrary program to be run in place of the intended one. It has been dutifully documented as CVE-2021-32471. At this time there is no patch or workaround.

The New York Times shares the dilemma of Jeff Sheu, managing director of a private equity firm, who is "exactly the type of high earner California does not want to lose. When people in his tax bracket leave, the state is likely to audit them to make sure they really have left."

But fortunately, there's an app for that: With the May 17 tax filing deadline approaching, people who have moved to another state or are working more remotely need to be extra vigilant with their tax documents. For Mr. Sheu, that involves an app on his smartphone that uses location services to track him all the time. What he is sacrificing in privacy, he is gaining in peace of mind, knowing he will be able to show exactly when and where he was in a particular state, should California's tax authority come after him... "I'm never apart from my phone," Mr. Sheu said... "It feels to me like a pretty undebatable way to track where I am...."

Tax apps like TaxBird — which Mr. Sheu uses — and TaxDay and Monaeo were created years ago... "We've seen a fourfold increase in our app without any advertising in the past year," said Jonathan Mariner, founder and president of TaxDay, who was himself audited when he worked for Major League Baseball in New York but lived in Florida. "When people are concerned about privacy, I say you probably have a dozen apps on your phone that are tracking you, and you don't even know it...." Monaeo makes a point of describing how the data is cataloged — city, state and country, but without specific locations. It also says upfront that it does not share any data. (All three of the apps are vigilant about that.) While each tax app has different levels of precision and features to upload supporting documents, they all fulfill the basic need to prove your location to a tax authority. When it comes time to file taxes, users download reports detailing where they worked with varying degrees of specificity, from a simple day count to more detailed location information...

With hundreds of millions of dollars at stake, states in need of revenue are not going to let the money go without a fight. "This has the potential to become as messy as you can envision it," said Dustin Grizzle, a tax partner at MGO, an accounting firm. "States are going to say, 'Hey you're just using Covid to give you the ability to work remotely.'"

Implantable miniaturized medical devices that wirelessly transmit data "are transforming healthcare and improving the quality of life for millions of people," writes Columbia University, noting the devices are "widely used to monitor and map biological signals, to support and enhance physiological functions, and to treat diseases."

Long-time Slashdot reader sandbagger shares the university's newest announcement: These devices could be used to monitor physiological conditions, such as temperature, blood pressure, glucose, and respiration for both diagnostic and therapeutic procedures. To date, conventional implanted electronics have been highly volume-inefficient — they generally require multiple chips, packaging, wires, and external transducers, and batteries are often needed for energy storage... Researchers at Columbia Engineering report that they have built what they say is the world's smallest single-chip system, consuming a total volume of less than 0.1 mm cubed. The system is as small as a dust mite and visible only under a microscope...

"We wanted to see how far we could push the limits on how small a functioning chip we could make," said the study's leader Ken Shepard, Lau Family professor of electrical engineering and professor of biomedical engineering. "This is a new idea of 'chip as system' — this is a chip that alone, with nothing else, is a complete functioning electronic system. This should be revolutionary for developing wireless, miniaturized implantable medical devices that can sense different things, be used in clinical applications, and eventually approved for human use...."

The chip, which is the entire implantable/injectable mote with no additional packaging, was fabricated at the Taiwan Semiconductor Manufacturing Company with additional process modifications performed in the Columbia Nano Initiative cleanroom and the City University of New York Advanced Science Research Center (ASRC) Nanofabrication Facility. Shepard commented, "This is a nice example of 'more than Moore' technology—we introduced new materials onto standard complementary metal-oxide-semiconductor to provide new function. In this case, we added piezoelectric materials directly onto the integrated circuit to transducer acoustic energy to electrical energy...." The team's goal is to develop chips that can be injected into the body with a hypodermic needle and then communicate back out of the body using ultrasound, providing information about something they measure locally.

The current devices measure body temperature, but there are many more possibilities the team is working on.

Slashdot reader Hmmmmmm quotes the Guardian: A new study that checked American women's breast milk for PFAS contamination detected the toxic chemical in all 50 samples tested, and at levels nearly 2,000 times higher than the level some public health advocates advise is safe for drinking water. The findings "are cause for concern" and highlight a potential threat to newborns' health, the study's authors say. "The study shows that PFAS contamination of breast milk is likely universal in the US, and that these harmful chemicals are contaminating what should be nature's perfect food," said Erika Schreder, a co-author and science director with Toxic Free Future, a Seattle-based non-profit that pushes industry to find alternatives to the chemicals.

PFAS, or per and polyfluoroalkyl substances, are a class of about 9,000 compounds that are used to make products like food packaging, clothing and carpeting water and stain resistant. They are called "forever chemicals" because they do not naturally break down and have been found to accumulate in humans. They are linked to cancer, birth defects, liver disease, thyroid disease, plummeting sperm counts and a range of other serious health problems. The peer-reviewed study, published on Thursday in the Environmental Science and Technology journal, found PFAS at levels in milk ranging from 50 parts per trillion (ppt) to more than 1,850ppt.

There are no standards for PFAS in breast milk, but the public health advocacy organization Environmental Working Group puts its advisory target for drinking water at 1ppt, and the federal Agency for Toxic Substances and Disease Registry, within the Department of Health and Human Services, recommends as little as 14ppt in children's drinking water.

Space startup Rocket Lab "lost a pair of satellites as the second stage of one of its Electron rockets failed to make it to orbit Saturday," reports CNET: After a successful liftoff from the company's New Zealand launch facility, something went wrong after the first stage booster separated from the smaller second stage carrying two satellites for Earth imaging company BlackSky. A live feed from the second stage showed that after it separated, it appeared to go into an uncontrolled tumble.

Commentators on the company's livestream reported that telemetry from the second stage had been lost and later the Rocket Lab Twitter feed confirmed the mission failure.

"An issue was experienced during today's launch, resulting in the loss of the mission," the company tweeted. "We are deeply sorry to our launch customers BlackSky and Spaceflight. The issue occurred shortly after stage two ignition..."

Rocket Lab reported that the booster made a successful parachute-assisted splashdown in the Pacific and a specially modified ship was en route to try to recover it.
"Rocket Lab has mostly been successful so far, with 17 of its missions reaching orbit," writes Engadget. Or, as CNET puts it, "This is the third failure out of 20 Rocket Lab launches and the second loss of mission in the past year."

In a statement, Rocket Lab CEO Peter Beck said "We will learn from this, and we'll be back on the pad again."

Politico writes: President Joe Biden on Wednesday ordered a sweeping overhaul of the federal government's approach to cybersecurity, from the software that agencies buy to the security measures that they use to block hackers, as his administration continues grappling with vulnerabilities exposed by a massive digital espionage campaign carried out by the Russian government... Biden's order requires agencies to encrypt their data, update plans for securely using cloud hosting services and enabling multi-factor authentication...

It also creates a cyber incident review group, modeled on the National Transportation Safety Board that investigates aviation, railroad and vehicle crashes, to improve the government's response to cyberattacks. And it sets the stage for requiring federal contractors to report data breaches and meet new software security standards.

The directive, which sets deadlines for more than 50 different actions and reports, represents a wide-ranging attempt by the new Biden administration to close glaring cybersecurity gaps that it discovered upon taking office and prevent a repeat of Moscow's SolarWinds espionage operation, which breached nine federal agencies and roughly 100 companies... In addition to requiring agencies to deploy multi-factor authentication, the order requires them to install endpoint detection and response software, which generates warnings when it detects possible hacks. It also calls for agencies to redesign their networks using a philosophy known as zero-trust architecture, which assumes that hackers are inside a network and focuses on preventing them from jumping from one computer to another... Officials say current federal monitoring programs are outdated — they can only spot previously identified malware, and they can't protect increasingly pervasive cloud platforms...

Biden's executive order attempts to prevent another SolarWinds by requiring information technology service providers to meet new security requirements in order to do business with the federal government. These contractors will need to alert the government if they are hacked and share information about the intrusion.
The order "reflects a fundamental shift in our mindset from incident response to prevention, from talking about security to doing security," one senior administration official told reporters. The order notes "persistent and increasingly sophisticated malicious cyber campaigns" that "threaten the public sector, the private sector, and ultimately the American people's security and privacy," calling for "bold changes and significant investments."

But the order also argues that "In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is..." warning that "The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors." To that end, the order also requires guidelines for a "Software Bill of Materials" or "SBOM," a "formal record containing the details and supply chain relationships of various components used in building software... analogous to a list of ingredients on food packaging." [A]n SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability. A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration. The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.
ZDNet reports that "the Linux and open-source community are already well on their way to meeting the demands of this new security order," citing security projects in both its Core Infrastructure Initiative (CII) and from the Open Source Security Foundation (OpenSSF).

"As a neuroscientist long experienced in the field, I recently completed a painstaking analysis of 30 years of research on human brain sex differences..." reports Lise Eliot in a recent article on The Conversation. "[T]here's no denying the decades of actual data, which show that brain sex differences are tiny and swamped by the much greater variance in individuals' brain measures across the population."

Bloomberg follows up: In 2005, Harvard's then president Lawrence Summers theorized that so few women went into science because, well, they just weren't inherently good at it. "Issues of intrinsic aptitude," Summers said, such as "overall IQ, mathematical ability, scientific ability" kept many women out of the field... "I would like nothing better than to be proved wrong," Summers said back in 2005. Well, sixteen years later, it appears his wish came true.

In a new study published in in the June edition of Neuroscience & Behavioral Reviews, Lise Eliot, a professor of neuroscience at Rosalind Franklin University, analyzed 30 years' worth of brain research (mostly fMRIs and postmortem studies) and found no meaningful cognitive differences between men and women. Men's brains were on average about 11% larger than women's — as were their hearts, lungs and other organs — because brain size is proportional to body size. But just as taller people aren't any more intelligent than shorter people, neither, Eliot and her co-authors found, were men smarter than women. They weren't better at math or worse at language processing, either.

In her paper, Eliot and her co-authors acknowledge that psychological studies have found gendered personality traits (male aggression, for example) but at the brain level those differences don't seem to appear.
"Another way to think about it is every individual brain is a mosaic of circuits that control the many dimensions of masculinity and femininity, such as emotional expressiveness, interpersonal style, verbal and analytic reasoning, sexuality and gender identity itself," Eliot's original article had stated.

"Or, to use a computer analogy, gendered behavior comes from running different software on the same basic hardware."

Though halted last week by ransomware, America's largest gasoline pipeline announced Saturday that it's resumed normal operations, reports the Associated Press, "delivering fuel to its markets, including a large swath of the East Coast." Georgia-based Colonial Pipeline had begun the process of restarting the pipeline's operations on Wednesday evening, warning it could take several days for the supply chain to return to normal.

"Since that time, we have returned the system to normal operations, delivering millions of gallons per hour to the markets we serve," Colonial Pipeline said in a tweet Saturday. Those markets include Texas, Louisiana, Mississippi, Alabama, Tennessee, Georgia, South and North Carolina, Virginia, Maryland, Washington D.C., Delaware, Pennsylvania and New Jersey.