Tesla Whistleblower Says 'Autopilot' System Is Not Safe Enough To Be Used On Public Roads::"It affects all of us because we are essentially experiments in public roads."

Just seems like everything is "this company did this to their employees" and less about "this novel messaging protocol offers these measured pros and cons." Or similar

And yes, I could post things, but I'm referring to what hits the top, 12h.

Can anyone rec communities with less of a biz and politics and wfh vs in-office vibe?

The six Republicans are accused of falsifying records and each face two felony charges.

The Medical University of South Carolina initially said it wouldn’t be affected by a law banning use of state funds for treatment “furthering the gender transition” of children under 16. Months later, it cut off that care to all trans minors.

A widespread criticism of the Trump administration’s foreign policy is that it wrecked—or at least severely undermined—the United States’ power and standing in the world, particularly by alienating long-standing allies and partners. Besides his public disdain for NATO, then-U.S. President Donald Trump questioned aloud why the United States maintained a security alliance with Japan, pressed South Korea to pay five-fold more to house U.S. troops, and approved of then-Philippine President Rodrigo Duterte’s plan to terminate a visiting forces agreement with the U.S. military.

There is a discussion on Hacker News, but feel free to comment here as well.

Firmware security company Binarly on Wednesday disclosed the details of an attack method that can be used to compromise many consumer and enterprise devices by leveraging malicious UEFI logo images.

The attack method, dubbed LogoFAIL, exploits vulnerabilities in the image parsers used by the UEFI firmware to display logos during the boot process or in the BIOS setup. Getting the affected parsers to process a specially crafted image can enable the attacker to hijack the execution flow and run arbitrary code.

Hackers can use the LogoFAIL attack to compromise the entire system and bypass security measures such as Secure Boot.

“These vulnerabilities can compromise the entire system’s security, rendering ‘below-the-OS’ security measures like any shade of Secure Boot ineffective, including Intel Boot Guard. This level of compromise means attackers can gain deep control over the affected systems,” Binarly explained.

Binarly’s analysis showed that UEFI vendors use various types of parsers for BMP, PNG, JPEG, GIF and other types of images. The security firm’s research targeted firmware from Insyde, AMI and Phoenix and led to the discovery of two dozen vulnerabilities, more than half of which have been assigned a ‘high severity’ rating.

The impacted firmware is shipped with hundreds of consumer and enterprise computer models — including x86 and ARM-based devices — made by companies such as Acer, Dell, Framework, Fujitsu, Gigabyte, HP, Intel, Lenovo, MSI, Samsung, and Supermicro. This means millions of devices worldwide could be exposed to attacks.

A LogoFAIL attack can be launched by abusing the firmware update procedure to replace the legitimate logo with a malicious version. Attacks through physical access may also be possible, using an SPI flash programmer, assuming that the logo is not protected by hardware verified boot technologies.

Some vendors — this includes Intel, Acer and Lenovo — offer features that enable users to customize the logos displayed during boot, which can make it possible to launch LogoFAIL attacks from the OS, without the need for physical access to the device.

It’s important to note that while image parser vulnerabilities have been found in devices from all of the aforementioned vendors, they cannot always be exploited. In Dell’s case, for instance, the logo is protected by Intel Boot Guard, which prevents its replacement even if the attacker has physical access to the targeted system. In addition, Dell does not offer any logo customization features.

Details of the attack were presented by Binarly at the Black Hat Europe conference on Wednesday, and the company has published a technical blog post describing its findings.

The security firm has published a video showing a proof-of-concept (PoC) LogoFAIL exploit in action, demonstrating how an attacker who has admin permissions on the operating system can escalate privileges to the firmware level.

The vulnerabilities were reported to impacted vendors through CERT/CC several months ago, but it can take a lot of time for patches for these types of security holes to reach end devices, even if vendors create the fixes.

Apple and Google had been told to keep the practice secret until Sen. Ron Wyden revealed it in a letter Wednesday.