Five local privilege escalation (LPE) vulnerabilities in the Linux utility "needrestart" -- widely used on Ubuntu to manage service updates -- allow attackers with local access to escalate privileges to root. The flaws were discovered by Qualys in needrestart version 0.8, and fixed in version 3.8. BleepingComputer reports: Complete information about the flaws was made available in a separate text file, but a summary can be found below:

- CVE-2024-48990: Needrestart executes the Python interpreter with a PYTHONPATH environment variable extracted from running processes. If a local attacker controls this variable, they can execute arbitrary code as root during Python initialization by planting a malicious shared library.
- CVE-2024-48992: The Ruby interpreter used by needrestart is vulnerable when processing an attacker-controlled RUBYLIB environment variable. This allows local attackers to execute arbitrary Ruby code as root by injecting malicious libraries into the process.
- CVE-2024-48991: A race condition in needrestart allows a local attacker to replace the Python interpreter binary being validated with a malicious executable. By timing the replacement carefully, they can trick needrestart into running their code as root.
- CVE-2024-10224: Perl's ScanDeps module, used by needrestart, improperly handles filenames provided by the attacker. An attacker can craft filenames resembling shell commands (e.g., command|) to execute arbitrary commands as root when the file is opened.
- CVE-2024-11003: Needrestart's reliance on Perl's ScanDeps module exposes it to vulnerabilities in ScanDeps itself, where insecure use of eval() functions can lead to arbitrary code execution when processing attacker-controlled input. The report notes that attackers would need to have local access to the operation system through malware or a compromised account in order to exploit these flaws. "Apart from upgrading to version 3.8 or later, which includes patches for all the identified vulnerabilities, it is recommended to modify the needrestart.conf file to disable the interpreter scanning feature, which prevents the vulnerabilities from being exploited," adds BleepingComputer.

A new study reveals that many users, particularly students and Redditors, view Z-Library as a vital resource for overcoming economic barriers to education, reflecting a "Robin Hood" mentality that prioritizes access to knowledge over copyright concerns. TorrentFreak reports: The research looks at the motivations of two groups; Reddit users and Chinese postgraduate students. Despite the vast differences between these groups, their views on Z-Library are quite similar. The 134 Reddit responses were sampled from the Zlibrary subreddit, which is obviously biased in favor of the site. However, the reasoning goes well beyond a simple "I want free stuff" arguments. Many commenters highlighted that they were drawn to the site out of poverty, for example, or they highlighted that Z-Library was an essential tool to fulfill their academic goals.

"Living in a 3rd world country, 1 book would cost like 50%- 80% already of my daily wage," one Redditor wrote. The idea that Z-Library is a 'necessary evil' was also highlighted by other commenters. This includes a student who can barely make ends meet, and a homeless person, who has neither the money nor the space for physical books. The lack of free access to all study materials, including academic journal subscriptions at university libraries, was also a key motivator. Paired with the notion that journal publishers make billions of dollars, without compensating authors, justification is found for 'pirate' alternatives. "They make massive profits. So stealing from them doesn't hurt the authors nor reviewers, just the rich greedy publishers who make millions just to design a cover and click 'publish'," one Redditor wrote.

The second part of the study is conducted in a more structured format among 103 postgraduate students in China. This group joined a seminar where Z-Library and the crackdown were discussed. In addition, the students participated in follow-up focus group discussions, while also completing a survey. Despite not all being users of the shadow library, 41% of the students agreed that the site's (temporary) shutdown affected their ability to study and find resources for degree learning. In general, the students have a favorable view toward Z-Library and similar sites, and 71% admit that they have used a shadow library in the past. In line with China's socialist values, the overwhelming majority of the students agreed that access to knowledge should be free for everyone. While the students are aware of copyright law, they believe that the need to access knowledge outweighs rightsholders' concerns. This is also reflected in the following responses, among others. All in all, Z-Library and other shadow libraries are seen as a viable option for expensive or inaccessible books, despite potential copyright concerns. The paper has been published in the Journal of University Teaching & Learning Practice.

An anonymous reader shares a report: On Tuesday morning, the air quality in India's capital under a widely used index stood at 485. While that is almost five times the threshold for healthy breathing, it felt like a relief: The day before, the reading had shot up to 1,785. Infinitesimal air particles were still clogging lungs and arteries, but it was possible to see sunlight again, and to smell things.

[...] Every year this suffocating smog accompanies the drop in temperatures as the plains of north India shed their unbearable heat for wintertime cool. And like clockwork, political leaders roll out emergency measures intended to quit making the problem worse. Yet India seems powerless to reduce the effects of this public health catastrophe, as its politicians stay busy trading blame and trying to outmaneuver one another in legal battles.

The haze was so shocking this week that Delhi's chief minister, Atishi, who goes by one name, declared it a "medical emergency" endangering the lives of children and older people. The Supreme Court, whose members also live in the capital, chided the national government for responding too slowly and ordered special measures: halting construction work and blocking some vehicles from the roads. Schools were closed indefinitely to protect students.

Oil and chemical companies who created a high-profile alliance to end plastic pollution have produced 1,000 times more new plastic in five years than the waste they diverted from the environment, according to new data obtained by Greenpeace. The Guardian:The Alliance to End Plastic Waste (AEPW) was set up in 2019 by a group of companies which include ExxonMobil, Dow, Shell, TotalEnergies and ChevronPhillips, some of the world's biggest producers of plastic. They promised to divert 15m tonnes of plastic waste from the environment in five years to the end of 2023, by improving collection and recycling, and creating a circular economy.

Documents from a PR company that were obtained by Greenpeace's Unearthed team and shared with the Guardian suggest that a key aim of the AEPW was to "change the conversation" away from "simplistic bans of plastic" which were being proposed across the world in 2019 amid an outcry over the scale of plastic pollution leaching into rivers and harming public health. Early last year the alliance target of clearing 15m tonnes of waste plastic was quietly scrapped as "just too ambitious."

The new analysis by energy consultants Wood Mackenzie looked at the plastics output of the five alliance companies; chemical company Dow, which holds the AEPW's chairmanship, the oil companies ExxonMobil, Shell and TotalEnergies, and ChevronPhillips, a joint venture of the US oil giants Chevron and Phillips 66. The data reveals the five companies alone produced 132m tonnes of two types of plastic; polyethylene (PE) and PP (polypropylene) in five years -- more than 1,000 times the weight of the 118,500 tonnes of waste plastic the alliance has removed from the environment in the same period. The waste plastic was diverted mostly by mechanical or chemical recycling, the use of landfill, or waste to fuel, AEPW documents state.

Longtime Slashdot reader slack_justyb writes: The Fast Light Toolkit released version 1.4.0 of the venerable, though sometimes looking a bit dated, toolkit from the '90s. New in this version are better CMake support, HiDPI support, and initial support for Wayland on Linux and Wayland on FreeBSD. Programs compiled and linked to this library launch using Wayland if it is available at runtime and fall back to X11 if not. FLTK 1.4.0 can be downloaded here. Documentation is also available.

An anonymous reader quotes a report from Nature: Google Scholar -- the largest and most comprehensive scholarly search engine -- turns 20 this week. Over its two decades, some researchers say, the tool has become one of the most important in science. But in recent years, competitors that use artificial intelligence (AI) to improve the search experience have emerged, as have others that allow users to download their data. The impact that Google Scholar -- which is owned by web giant Google in Mountain View, California -- has had on science is remarkable, says Jevin West, a computational social scientist at the University of Washington in Seattle who uses the database daily. But "if there was ever a moment when Google Scholar could be overthrown as the main search engine, it might be now, because of some of these new tools and some of the innovation that's happening in other places," West says.

Many of Google Scholar's advantages -- free access, breadth of information and sophisticated search options -- "are now being shared by other platforms," says Alberto Martin Martin, a bibliometrics researcher at the University of Granada in Spain. AI-powered chatbots such as ChatGPT and other tools that use large language models have become go-to applications for some scientists when it comes to searching, reviewing and summarizing the literature. And some researchers have swapped Google Scholar for them. "Up until recently, Google Scholar was my default search," says Aaron Tay, an academic librarian at Singapore Management University. It's still top of his list, but "recently, I started using other AI tools." Still, given Google Scholar's size and how deeply entrenched it is in the scientific community, "it would take a lot to dethrone," adds West. Anurag Acharya, co-founder of Google Scholar, at Google, says he welcomes all efforts to make scholarly information easier to find, understand and build on. "The more we can all do, the better it is for the advancement of science." Acharya says Google Scholar uses AI to rank articles, suggest further search queries and recommend related articles. What Google Scholar does not yet provide are AI-generated summaries of search query results. According to Acharya, the company has yet to find "an effective solution" for summarizing conclusions from multiple papers in a brief manner that preserves all the important context.

One of India's largest news agencies, Asian News International, has sued OpenAI in a case that could set a precedent for how AI companies use copyrighted news content in the world's most populous nation. From a report: Asian News International filed a 287-page lawsuit in the Delhi High Court on Monday, alleging the AI company illegally used its content to train its AI models and generated false information attributed to the news agency. The case marks the first time an Indian media organization has taken legal action against OpenAI over copyright claims.

Ranga Dias, a physics professor who made headlines with claims that he had discovered a room-temperature superconductor and then was found to have engaged in research misconduct, is no longer employed by the University of Rochester. WSJ: A spokeswoman for the university confirmed on Monday that Dias is out but declined to comment on the terms of his departure. The Wall Street Journal previously reported that Rochester President Sarah Mangelsdorf had called for terminating his position in an August letter to the chair and vice chair of the university's Board of Trustees.

Dias leaves the university after years of accusations that he had misrepresented data in multiple papers. He is a senior author on at least five papers retracted in just over two years. One of those, which identified a material that functioned as a superconductor at room temperature, was pulled by the journal Nature after several co-authors told the journal that Dias had misrepresented information in the paper. Dias didn't respond to requests for comment. He has previously denied manipulating or misrepresenting data.

His departure follows a monthslong university investigation completed in February that was led by three outside experts who reviewed documents and data from Dias's laboratory computers and interviewed Dias and his collaborators. The investigative panel found evidence of misconduct in four papers in which Dias is a senior author and in a grant proposal he submitted to the National Science Foundation. Then-provost David Figlio accepted the conclusions and referred his case to a faculty committee "for potential removal." Dias sued the university in February claiming that the probe into his work was biased and didn't follow university policies.

Bhutan, the tiny kingdom that introduced Gross National Happiness to the world, has a problem: young people are leaving the country in record numbers. CNN: The country boasts free health care, free education, a rising life expectancy and an economy that's grown over the last 30 years -- still, people are leaving. Prime Minister Tshering Tobgay believes it is ironically the success of Gross National Happiness that has made young Bhutanese so sought after abroad. "It is an existential crisis," he said.

Bhutan, which is about the size of Maryland, was largely isolated from the rest of the world for centuries. The kingdom was so protective of its unique Buddhist culture that it only started allowing foreign tourists to visit in the 1970s and didn't introduce television until 1999. Buddhism is the country's national religion. Bhutanese, especially older men and women, spend hours spinning prayer wheels full of Buddhist scriptures. Prayer flags flutter on hillsides and in forests, turning nature itself into a shrine. Bhutan's capital city of Thimpu still has no traffic lights. The nation's roads are shared by cars and cows.

An anonymous reader quotes a report from TechCrunch: For the past couple of years, the startup has been iterating on a brand-new CRM platform and making everything available on GitHub under a permissive AGPLv3 license. While Twenty doesn't have all the features that you can find in Salesforce [comparison], the company is slowly building a community of CRM and open source enthusiasts around it, with more than 300 contributors in the last year and 20,000 stars on GitHub. [...] Twenty is trying to build a flexible platform that can be tweaked to every company's needs and that can serve as a basis for other tools and use cases. Each entry in a CRM is an object. It can be a standard, pre-defined object like a person or a company. But customers can also create their own custom objects.

If you're a conference organizer, you can create a conference object. If you're a restaurant chain manager, you can create a restaurant object. As you may have guessed, Twenty also lets you create custom fields for each object. This way, it's easier to capture and compare data across multiple entries. This customer data can be viewed in Twenty directly in list or Kanban views. People can sort and filter entries, add tasks and notes, all the usual CRM stuff. But data in Twenty can also be reused with GraphQL and REST APIs. And that's how you can extend Twenty beyond its CRM roots. Eventually, Twenty hopes there will be an active ecosystem of developers working on extensions and plugins to build a proper alternative to the Salesforce product suite. But we're not there yet. "Building a CRM is a daunting task, especially for us because of the way we've chosen to do it. We're building a platform, and we're not taking any shortcut. In fact, we still need to work on workflows, on automation and more," [said Twenty co-founder and CEO Felix Malfait]. "People often don't understand why Salesforce is so big, so powerful," Malfait said. Salesforce's platform utilizes a flexible data model -- a programming language called Apex to execute code on Salesforce's servers and a front-end customization framework.

"So when you have these three bricks you can store data, do logic on the back end, and display the result as you like," Malfait said. "It means that you can do everything. And that's what we want to enable in the long term."

An anonymous reader shares a report: Earlier this year I had one of those encounters which, afterwards, I just couldn't stop thinking about. Eight months and some digging later, I have decided to write about it. My meeting was with an American businessman called Tom Kearney, who was on a pavement in central London one Christmas when he was whacked on the head so hard that he fell to the ground, spent weeks in a coma, and only just survived. Had he been mugged? Not quite. He'd been hit by the giant wing mirror of a London bus.

[...] The most recent data show that 86 people died or were badly injured in bus collisions in London between 10 December 2023 and 31 March 2024. Kearney's analysis of TfL data suggests that around three people a day are hospitalised after bus safety incidents. That doesn't feel good, even though it's tiny in comparison to the 1.8bn annual passenger journeys. Compared with other world cities like New York and Paris the capital's buses rank in the top quartile for financial efficiency but the bottom quartile for collisions per kilometre. And the number of collisions in London has increased in the past couple of years, despite buses travelling fewer miles.

Could this have anything to do with the way that bus contracts prioritise speed? Last week, hundreds of bus drivers marched to TfL headquarters to demand better working conditions and the right to report safety concerns "without fear of retribution from TfL or employers." Drivers described the pressure of long shifts, few breaks and having to drive in sometimes blistering heat, all while being shouted at over a monitor by controllers who want them to make up the time to the next stop, and keep the right amount of distance between their bus and next. It's not surprising that a third of bus drivers, before the pandemic, reported having had a "close call" from fatigue.

With the government about to export the London franchise model to other parts of the country, someone in Whitehall needs to take a look. Michael Liebreich, a former McKinsey consultant who sat on the TfL board for six years, believes that TfL's contracting out model is "institutionally unsafe." Bus drivers are under such pressure, he thinks, that some may break the speed limit and overtake cyclists dangerously.

According to Bloomberg, the U.S. Justice Department wants Google to sell off its Chrome browser as part of its ongoing search monopoly case. The recommendations will be made official on Wednesday. 9to5Google reports: At the top of the list is having Google sell Chrome "because it represents a key access point through which many people use its search engine." There are many questions about how that works, including what the impact on the underlying Chromium codebase would be. Would Google still be allowed to develop the open-source project by which many other browsers, like Microsoft Edge use? "The government has the option to decide whether a Chrome sale is necessary at a later date if some of the other aspects of the remedy create a more competitive market," reports Bloomberg. Google, which plans to appeal, previously said that "splitting off Chrome or Android would break them."

Bloomberg reports that "antitrust officials pulled back from a more severe option that would have forced Google to sell off Android." However, the government wants Google to "uncouple its Android smartphone operating system from its other products, including search and its Google Play mobile app store, which are now sold as a bundle." Meanwhile, other recommendations include licensing Google Search data and results, as well as allowing websites that are indexed for Search to opt out of AI training.

An anonymous reader quotes a report from Ars Technica: An AI-generated nude photo scandal has shut down a Pennsylvania private school. On Monday, classes were canceled after parents forced leaders to either resign or face a lawsuit potentially seeking criminal penalties and accusing the school of skipping mandatory reporting of the harmful images. The outcry erupted after a single student created sexually explicit AI images of nearly 50 female classmates at Lancaster Country Day School, Lancaster Online reported. Head of School Matt Micciche seemingly first learned of the problem in November 2023, when a student anonymously reported the explicit deepfakes through a school portal run by the state attorney's general office called "Safe2Say Something." But Micciche allegedly did nothing, allowing more students to be targeted for months until police were tipped off in mid-2024.

Cops arrested the student accused of creating the harmful content in August. The student's phone was seized as cops investigated the origins of the AI-generated images. But that arrest was not enough justice for parents who were shocked by the school's failure to uphold mandatory reporting responsibilities following any suspicion of child abuse. They filed a court summons threatening to sue last week unless the school leaders responsible for the mishandled response resigned within 48 hours. This tactic successfully pushed Micciche and the school board's president, Angela Ang-Alhadeff, to "part ways" with the school, both resigning effective late Friday, Lancaster Online reported.

In a statement announcing that classes were canceled Monday, Lancaster Country Day School -- which, according to Wikipedia, serves about 600 students in pre-kindergarten through high school -- offered support during this "difficult time" for the community. Parents do not seem ready to drop the suit, as the school leaders seemingly dragged their feet and resigned two days after their deadline. The parents' lawyer, Matthew Faranda-Diedrich, told Lancaster Online Monday that "the lawsuit would still be pursued despite executive changes." Classes are planned to resume on Tuesday, Lancaster Online reported. But students seem unlikely to let the incident go without further action to help girls feel safe at school. Last week, more than half the school walked out, MSN reported, forcing classes to be canceled as students and some faculty members called for resignations and additional changes from remaining leadership.

An anonymous reader shares a report: China's population is expected to shrink by 51 million -- more than the size of California -- over the next decade as policymakers struggle to reverse the country's falling birth rate, according to Bloomberg Intelligence. By 2035, the population is expected to drop to 1.36 billion, levels not seen since 2012, down from a peak of 1.41 billion in 2021, BI senior industry analyst Ada Li estimates.

There could be a temporary spike in births in 2024 as the Year of the Dragon is considered an auspicious time to have children. But past single-year surges in birth rates have been short-lived, and this year may be no exception, especially with marriage rates at an all-time low, Li said. China faces a looming population crisis, with the United Nations projecting it could shrink to half its current size by 2100.

Donald Trump has named FCC Commissioner Brendan Carr to chair the U.S. communications regulator when he takes office in January 2025, citing Carr's stance against what Trump called "regulatory lawfare." Carr, a lawyer and longtime Republican who has served at the FCC under both Trump and Biden administrations, has emerged as a vocal critic of major social media companies' content moderation practices.

"Humbled and honored" by the appointment, Carr pledged on X to "dismantle the censorship cartel." As the FCC's senior Republican commissioner, Carr has advocated for stricter oversight of technology companies, pushing for transparency rules on platforms like Google and Facebook, expanded rural broadband access, and tougher restrictions on Chinese-owned TikTok. Trump praised Carr as a "warrior for free speech" while announcing the appointment. During his campaign, Trump has said he would seek to revoke licenses of television networks he views as biased.