Feed aggregator

I have been dealing with eczema for as long as I can remember. In honor of Eczema Awareness Month, here are my favorite products for aiding itchy, irritating eczema.

Many of Helene’s effects are individual and heartbreaking, such as the deaths of children, grandparents and others. But the storm's impact is also so outsized that it’s clearly visible from space.

Sometimes I look at my robot vacuum and wonder if it knows how much I like it. I do not ponder if it's staring back at me, thinking...well...who know what? If I owned an Ecovac robot vacuum, though, that might be all I was thinking about and, soon, throwing a blanket over its potentially rapacious camera.

According to a new report and the work of long-time robot vacuum hackers, some Ecovac vacuums can, with some skill but no physical, access be hacked, giving would-be attackers access to all onboard systems and sensors, including the camera.

It's a simple and somewhat unnerving tale: An ABC Australia news reporter, Julian Fell, followed up on reports that some Ecovac vacuums could be hacked and was soon, with the permission of an Ecovac owner, hacking a robot vacuum in the safety of his news site's offices.

Not a hacker himself, Fell worked with Northeastern University Cybersecurity researcher Dennis Giese who (along with collaborators Braelynn Luedtke and Chris Anderson) discovered the hack and has spent years researching robot vacuum vulnerabilities. Via email, Giese told me he's researched most of the major robot vacuum manufacturers, including Neato and iRobot. "Ecovacs is a bit unlucky this year, as I usually swap the vendor every year. Next year, it might hit a different vendor."

Giese developed a payload and all Fell had to do was stand outside his offices, connect to the robot vacuum via Bluetooth, and download Giese's encrypted payload to it. That triggered a function in Ecovac's vacuum, which led to it downloading a script from Giese's server and then executing it. Within moments, both Fell and Giese had access to the robot vacuum's camera feed. They could see what it saw and, more chillingly, were able to, according to the report, use the speaker to send a message to the Ecovac's owner: "Hello Sean, I’m waaaatching you.”

At no point during this process did the robot vacuum indicate that it was under outside control.

Ecovac's POV

When contacted about the Hack story, Ecovacs sent me this response:

"ECOVACS places the highest priority on data security and customer privacy. To address some security issues raised over the last several months, the ECOVACS Security Committee initiated an internal review process of network connections and data storage. As a result, we have enhanced product security across multiple dimensions, and will continue to strengthen system security in upcoming updates.."

This differed slightly from what the company told TechCrunch in August. Back then, it mentioned the internal review process but also said consumers had little to worry about, claiming in the statement to TechCrunch, "Security issues pointed out by Giese and Braelynn are extremely rare in typical user environments and require specialized hacking tools and physical access to the device. Therefore, users can rest assured that they do not need to worry excessively about this."

While Ecovac was likely right about the programming tools, I asked Giese about the "physical access" claim since Fell's report detailed how he used only a Bluetooth connection from outside his office and the payload on his phone to hack the vacuum.

Giese told me that there are many different vulnerabilities, but for the one that Fell hacked, "You only need a phone and the magic payload. No physical access, you do not even need to know where the robot is, who it belongs to, or what kind of model it is. If you are in range, you can do it."

Giese first told Ecovacs about the vulnerability in December 2023 and told Fell that the company initially didn't even respond to the message. Giese, though, is not a Black Hat hacker and has no plans to release the details of the hack to the public. In fact, he has no particular beef with Ecovacs.

"Ecovacs was just unlucky this year...I am not super focused on Ecovacs and would have moved on by now if the problems were fixed."

"It appears that I 'bite' into that company and want to damage them, but that's not true. I am not super focused on Ecovacs and would have moved on by now if the problems were fixed," said Giese.

He added that he doesn't necessarily blame Ecovacs for these and other robot vacuum vulnerabilities. He claims that the company paid to get the proper certifications. " Ecovacs is also a victim here. They paid money to someone that was expected to certify them according to a standard (ETSI xxxx). There were a lot of things that should have been found (e.g. the SSL issues), but they were not."

As for what you should do if you own an Ecovacs robot vacuum: Start with making sure all your software is up-to-date. Ecovacs may not agree this is a dangerous vulnerability, but Ecovacs did tell us, "We have enhanced product security across multiple dimensions," which sounds like software updates to me.

In the meantime, you could do as the original Ecovacs consumer did and put a blanket over the robot vacuum camera when it's not in use.

You might also like

• The best robot vacuum 2024: top robovacs to keep every ...
• I used a cheap robot vacuum for a month
• Bag one of the best robot vacuums we've ever seen for a ...

Remnants of Hurricane Helene shut down a North Carolina factory that supplies critical IV fluids to hospitals across the country. There's no timeline for when production will resume at the facility.

(Image credit: Susan Walsh/AP)

Score an extra $5 off this already-discounted lifetime subscription to Beelinguapp and learn almost any language you want.

There's only so much you can do with a dozen duck sauce packets.

Chinese state-owned carrier China Telecom has announced the development of two LLMs trained entirely on domestically produced chips.

In a statement from the Institute of AI at China Telecom, published on WeChat and reported by the South China Morning Post, its open-source TeleChat2-115B, which has over 100 billion parameters, and a second unnamed model, which reportedly has 1 trillion parameters, were trained using tens of thousands of locally manufactured chips.

The statement claims that this development “indicates that China has truly realized total self-sufficiency in domestic LLM training,” a challenging goal for the country since the US imposed strict export regulations that block access to high-end GPUs like the Nvidia H100 and A100.

Turning to local suppliers

While China Telecom hasn’t specified who supplied the chips used to train its LLMs, it’s likely that Huawei provided the majority, if not all of them. The company has been positioning itself as a domestic alternative to Nvidia, and the South China Morning Post notes that China Telecom “previously disclosed that it is developing LLM technology using Ascend chips developed by the Shenzhen-based telecom equipment giant.”

Huawei has recently begun sending samples of its new Ascend 910C processor to Chinese server and telecom companies for testing, and it has been targeting major Nvidia customers in China in the hopes of getting them to switch at least some of their business.

Although there is a thriving black market in China for Nvidia’s high-end GPUs, many companies, including ByteDance and Alibaba, prefer to stay compliant and use lower-spec, permitted GPUs like Nvidia’s H20 to avoid legal and reputational risks and to maintain access to Nvidia’s support. These companies are increasingly turning to Huawei for their AI needs. It was recently reported that TikTok owner ByteDance had put in an order for 100,000 Ascend processors.

The South China Morning Post also reports that, in addition to Huawei, China Telecom is exploring hardware from Cambricon, a local AI chip start-up, to further diversify its chip supply.

More from TechRadar Pro

• US announces further crackdown on firms selling technology to Huawei
• UK government and others are keeping a very close eye on Nvidia
• US considering Huawei sanctions over secretive chip network

U.S. employers added more than a quarter million jobs in September, while the unemployment rate fell to 4.1%. Here's what to know about the data.

(Image credit: Anna Rose Layden/Getty Images)

During October Prime Day, make your smart home smarter by adding Alexa voice control to any outlet in your home.

The Soundcore Motion X600 is a capable speaker, and right now you can save $50 off yours.

Epic Games Store users get a free game every Thursday. Here's what's free this week.

Wisconsin has long been a presidential swing state, but thanks to new maps, it's now also a potential swing state for the legislature for the first time in 15 years.

(Image credit: Angela Major)

Arab Americans have been frustrated with the Biden administration’s response to the ongoing war in Gaza and the expanding conflict into Lebanon.

(Image credit: Mark Schiefelbein)

Last weekend, Katie Santry joked on TikTok that her mysteriously cracked computer screen was the result of a haunting—and if it was connected to the mysterious rug she found buried in her back yard.

Another TV show has fallen victim to the Netflix ax as That '90s Show has been canceled after two seasons. But fret not, as the critically acclaimed Yellowjackets is coming to the best streaming service in October.

That '90s Show is a sequel to the classic sitcom That '70s Show, which propelled the likes of Ashton Kutcher and Mila Kunis to Hollywood stardom back in the early noughties. However, franchise star Kurtwood Smith has now confirmed that the comedy series, which has 81% on Rotten Tomatoes, will not be renewed for a third season in an Instagram post.

That '70s Show follows the lives of six teenage friends in the fictional town of Point Place, Wisconsin from 1976 to 1979 and ran for eight seasons until 2006. In 2023, That '90s Show debuted on Netflix and centers on Leia Forman (Callie Haverda), the daughter of Eric Forman (Topher Grace) and Donna Pinciotti (Laura Prepon) from the original series, as she visits her grandparents for the summer and meets a new generation of Point Place kids.

A post shared by Kurtwood Smith (@therealkurtwoodsmith)

A photo posted by on

Almost the entire original cast of That '70s Show returned for the sequel series, including Kurtwood Smith (Red), Debra Jo Rupp (Kitty), Topher Grace (Eric), Mila Kunis (Jackie), Ashton Kutcher (Kelso), Laura Prepon (Donna) and Wilder Valderrama (Fez).

But while That '90s Show is another axed show to add to the list of five shows canceled by Netflix in 2024 so far that you should still watch, Yellowjackets, which has an even better Rotten Tomatoes score of 96% has been added to everything new on Netflix in October 2024.

What is Yellowjackets about?

Yellowjackets, one of the best Paramount Plus shows, is a time-hopping thriller about a girls soccer team whose plane crashes into the Ontario wilderness in 1996 on the way to a tournament. After surviving the catastrophe, they must make some tough decisions to get through the harsh conditions. The series then jumps back to the present time and follows the consequences of this event in their adult lives in 2021.

When Yellowjackets debuted on Showtime in 2021, it became the cable channel's biggest original series in years and now it's set to receive even more praise when it becomes one of the best Netflix shows.

The show features a star-studded cast of Ella Purnell, Melanie Lynskey, Christina Ricci, and Juliette Lewis, who have been praised for their performances, with The Verge writing in their Yellowjackets season 2 review: "It has, across the board, a brilliant ensemble cast with stellar chemistry."

Filming for Yellowjackets season 3 was underway in May 2024 with an expected 2025 release date but if you can't wait that long (understandable!), here are eight fleshy dramas to watch while you wait for the next instalment of the show.

You might also like

• Netflix is getting a new sci-fi slasher just in time for Halloween but the trailer for Time Cut is a lot like one of Prime Video’s best horror movies
• Olivia Rodrigo’s Guts World Tour concert special lands on Netflix this month
• Netflix shares first images of new epic sci-fi movie The Electric State from the Russo brothers, and nobody's sure what to make of it

Can't decide between a new TV or a new piece of wall art? This early Prime Day deal is bringing you a two-for-one special.

Can't remember your Wi-Fi password? It might be a few clicks away on one of the devices you use every day.

Privacy activist Max Schrems has won another legal fight against Meta, this time limiting how the company can use off-platform activity—and public statements—to target ads.

Not only is the 28GB OnePlus Nord N30 discounted by $50, OnePlus is throwing in a free pair of OnePlus Nord Buds 3 Pro.

The recently-revealed Common UNIX Printing System (CUPS) security flaw may be even worse than expected following new claims it can be abused to amplify distributed denial of service (DDoS) attacks.

Researchers from Akamai have claimed the attacks can have an amplification factor of 600x - for an average attack, a worrying prospect for victims everywhere.

CUPS is an open-source printing system developed by Apple for Unix-like operating systems, including Linux and macOS. It provides a standardized way to manage print jobs and queues, supporting both local and network printers. CUPS uses the Internet Printing Protocol (IPP) as its primary protocol, allowing seamless printer discovery and job submission across networks. It also includes a web-based interface for managing printers, print jobs, and configurations.

Infinite loop

CUPS was recently revealed to possess four flaws: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177, and when chained, these can allow threat actors to create fake, malicious printers, which CUPS can discover. The only thing the crooks need to do is send a specially crafted packet to trick the CUPS server. The moment a user tries to print something using this new device, a malicious command gets executed locally on their device.

Akamai’s experts, on the other hand, claim that each packet sent to flawed CUPS servers makes them generate larger IPP/HTTP requests, aiming at the targeted device. As a result, both CPU and bandwidth resources get eaten up, in classic DDoS fashion. Their research determined that there are almost 200,000 internet-exposed devices, out of which almost 60,000 can be leveraged for DDoS campaigns.

In extreme cases, CUPS servers will continue to send requests, entering an infinite loop.

"In the worst-case scenario, we observed what appeared to be an endless stream of attempted connections and requests as a result of a single probe. These flows appear to have no end, and will continue until the daemon is killed or restarted," Akamai explained. "Many of these systems we observed in testing established thousands of requests, sending them to our testing infrastructure. In some cases, this behavior appeared to continue indefinitely."

The DDoS amplification attack can be run in mere minutes, for almost no money. IT teams are urged to apply the fix for the above-mentioned flaws as soon as possible.

Via BleepingComputer

More from TechRadar Pro

• Thousands of fake Microsoft emails are being sent out to trick businesses — here's what to look out for
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now