An anonymous reader quotes a report from The Record: Cybersecurity researchers have uncovered dozens of attacks that involve malicious updates for Chrome browser extensions, one week after a security firm was compromised in a similar incident. As of Wednesday, a total of 36 Chrome extensions injected with data-stealing code have been detected, mostly related to artificial intelligence (AI) tools and virtual private networks (VPNs), according to a report by ExtensionTotal, a platform that analyzes extensions listed on various marketplaces and public registries. These extensions, collectively used by roughly 2.6 million people, include third-party tools such as ChatGPT for Google Meet, Bard AI Chat, YesCaptcha Assistant, VPNCity and Internxt VPN. Some of the affected companies have already addressed the issue by removing the compromised extensions from the store or updating them, according to ExtensionTotal's analysis. [...]

It remains unclear whether all the compromised extensions are linked to the same threat actor. Security researchers warn that browser extensions "shouldn't be treated lightly," as they have deep access to browser data, including authenticated sessions and sensitive information. Extensions are also easy to update and often not subjected to the same scrutiny as traditional software. ExtensionTotal recommends that organizations use only pre-approved versions of extensions and ensure they remain unchanged and protected from malicious automatic updates. "Even when we trust the developer of an extension, it's crucial to remember that every version could be entirely different from the previous one," researchers said. "If the extension developer is compromised, the users are effectively compromised as well -- almost instantly."

Former Microsoft designer Sergey Kisselev has shared previously unseen concepts for Windows 11 dynamic wallpapers, intended for educational devices. The animated backgrounds were designed to complement Windows 11's centered interface but never shipped with the operating system's 23H2 update as initially planned.

Leading monitor manufacturers Asus, Samsung, and MSI unveiled the world's first 27-inch 4K OLED gaming monitors with 240Hz refresh rates, all featuring Samsung Display's fourth-generation QD-OLED panel technology.

Asus ROG Swift OLED PG27UCDM and MSI MPG 272URX QD-OLED models include DisplayPort 2.1a support, enabling 4K resolution at 240Hz without compression. Both offer DisplayHDR True Black 400 certification and three-year burn-in protection warranties. Samsung's Odyssey OLED G8 specifications remain partially undisclosed. All monitors feature 0.03ms response times and pixel density exceeding 160PPI.

Release dates and pricing details have not been announced.

Bruce66423 writes: A few hours before the ball dropped on New Year's Eve, the computer dispatch system for the Los Angeles County Sheriff's Department crashed, rendering all patrol car computers nearly useless and forcing deputies to handle all calls by radio, according to officials and sources in the department. Department leaders first learned of the problem around 8 p.m., when deputies at several sheriff's stations began having trouble logging onto their patrol car computers, officials told The Times in a statement.

The department said it eventually determined its computer-aided dispatch program -- known as CAD -- was "not allowing personnel to log on with the new year, making the CAD inoperable." It's not clear how long it will take to fix the problem, but in the meantime deputies and dispatchers are handling everything old-school -- using their radios instead of patrol car computers.

"It's our own little Y2K," a deputy who was working Wednesday morning told The Times. The deputy, along with three other department sources who spoke to The Times about the problem, asked not to be named because they were not authorized to speak on the record and feared retaliation.

An anonymous reader writes: Guillermo Rauch, CEO of Vercel, a frontend-as-a-service product, just used the company's AI site builder to come up with a new twist on CAPTCHAs, one that invites users to play the classic single-player game DOOM and killing at least three monsters. You can check it out here.

Thousands of copyrighted works from 1929, including Mickey Mouse's first speaking appearance and original versions of comic characters Popeye and Tintin, entered the U.S. public domain on January 1, 2025, as their 95-year copyright terms expired.

Popeye debuted in E.C. Segar's "Thimble Theatre" comic strip, while Tintin first appeared in Georges Remi's "Les Aventures de Tintin." These original character versions can now be freely used without permission or fees. Literary classics joining the public domain include William Faulkner's "The Sound and the Fury," Ernest Hemingway's "A Farewell to Arms," and Virginia Woolf's "A Room of One's Own."

Musical compositions entering the public domain include George Gershwin's "An American in Paris," Maurice Ravel's "Bolero," and Fats Waller's "Ain't Misbehavin'." The original 1929 recordings remain protected until 2030 under separate copyright rules.

Notable films becoming public domain include the Marx Brothers' first feature "The Cocoanuts," Alfred Hitchcock's first sound film "Blackmail," and several Mickey Mouse animations where the character debuts his white gloves and speaks his first words. Sound recordings from 1924, including performances by Marian Anderson and George Gershwin, also entered the public domain under the Music Modernization Act's 100-year term for historical recordings.

An anonymous reader quotes a report from Reuters: Chinese state-sponsored hackers broke into the U.S. Treasury Department earlier this month and stole documents from its workstations, according to a letter to lawmakers that was provided to Reuters on Monday. The hackers compromised a third-party cybersecurity service provider and were able to access unclassified documents, the letter said, calling it a "major incident."

According to the letter, hackers "gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able override the service's security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users." After being alerted by cybersecurity provider BeyondTrust, the Treasury Department said it was working with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to assess the hack's impact. Developing...

NPR remembers when the world "prepared for the impending global meltdown" that might've been, on December 31, 1999 — and the possible bug known as Y2K: The Clinton administration said that preparing the U.S. for Y2K was probably "the single largest technology management challenge in history." The bug threatened a cascade of potential disruptions — blackouts, medical equipment failures, banks shutting down, travel screeching to a halt — if the systems and software that helped keep society functioning no longer knew what year it was... Computer specialist and grassroots organizer Paloma O'Riley compared the scale and urgency of Y2K prep to telling somebody to change out a rivet on the Golden Gate Bridge. Changing out just one rivet is simple, but "if you suddenly tell this person he now has to change out all the rivets on the bridge and he has only 24 hours to do it in — that's a problem," O'Riley told reporter Jason Beaubien in 1998....

The date switchover rattled a swath of vital tech, including Wall Street trading systems, power plants and tools used in air traffic control. The Federal Aviation Administration put its systems through stress tests and mock scenarios as 2000 drew closer. "Twenty-three million lines of code in the air traffic control system did seem a little more daunting, I will say, than I had probably anticipated," FAA Administrator Jane Garvey told NPR in 1998. Ultimately there were no systemwide aviation breakdowns, but airlines were put on a Y2K alert....

Some financial analysts remained skeptical Y2K would come and go with minimal disruption. But by November 1999 the Federal Reserve said it was confident the U.S. economy would weather the big switch. "Federal banking agencies have been visited and inspected. Every bank in the United States, which includes probably 9,000 to 10,000 institutions, over 99% received a satisfactory rating," Fed Board Governor Edward Kelley said at the time.
The article also remembers a California programmer who bought a mobile home, a propane generator, and a year's supply of dehydrated food. (They were also considering buying a handgun — and converting his bank savings into gold, silver, and cash.) And "Dozens of communities across the U.S. formed Y2K preparedness groups to stave off unnecessary panic..."

But the article concludes that "the aggressive planning and recalibration paid off. Humanity passed into the year 2000 without pandemonium..."

And "People like Jack Pentes of Charlotte, N.C., were left to figure out what to do with their emergency stockpiles."

Long-time Slashdot reader theodp writes: Back in January, Rice University professor and former CACM Editor-in-Chief Moshe Y. Vardi wrote of the unintended consequences of social media and mobile computing in "Computing, You Have Blood on Your Hands!" To close out the year, Vardi addresses the role tech workers play in enabling dubious Big Tech business models — including now-powered-by-AI Big Tech Surveillance Capitalism — in an opinion piece titled "I Was Wrong about the Ethics Crisis."

Vardi writes: "The belief in the magical power of the free market always to serve the public good has no theoretical basis. In fact, our current climate crisis is a demonstrated market failure. To take an extreme example, Big Tobacco surely does not support the public good, and most of us would agree that it is unethical to work for Big Tobacco. The question, thus, is whether Big Tech is supporting the public good, and if not, what should Big Tech workers do about it. Of course, there is no simple answer to such a question, and the only reasonable answer to the question of whether it is ethical to work for Big Tech is, 'It depends.' [...] It is difficult to get a man to understand something, when his salary depends on his not understanding it, said the writer and political activist Upton Sinclair. By and large, Big Tech workers do not seem to be asking themselves hard questions, I believe, hence my conclusion that we do indeed suffer from an ethics crisis."

A new report reveals that the VW Group left sensitive data for 800,000 electric vehicles from Audi, VW, Seat, and Skoda poorly secured on an Amazon cloud, exposing precise GPS locations, battery statuses, and user habits for months. Carscoops reports: It gets worse. A more tech-savvy user could reportedly connect vehicles to their owners' personal credentials, thanks to additional data accessible through VW Group's online services Crucially, in 466,000 of the 800,000 cases, the location data was so precise that anyone with access could create a detailed profile of each owner's daily habits. As reported by Spiegel, the massive list of affected owners isn't just a who's-who of regular folks. It includes German politicians, entrepreneurs, Hamburg police officers (the entire EV fleet, no less), and even suspected intelligence service employees. Yes, even spies may have been caught up in this digital debacle.

This glaring error originated from Cariad, a VW Group company that focuses on software, due to an error that occurred in the summer of 2024. An anonymous whistleblower used freely accessible software to dig up the sensitive information and promptly alerted Chaos Computer Club (CCC), Europe's largest hacker association. CCC wasted no time contacting Lower Saxony's State Data Protection Officer, the Federal Ministry of the Interior, and other security bodies. They also gave VW Group and Cariad 30 days to address the issue before going public. According to CCC, Cariad's technical team "responded quickly, thoroughly and responsibly," blocking unauthorized access to its customers' data.

Hackers have compromised several different companies' Chrome browser extensions in a series of intrusions dating back to mid-December, according to one of the victims and experts who have examined the campaign. From a report: Among the victims was the California-based Cyberhaven, a data protection company that confirmed the breach in a statement to Reuters on Friday. "Cyberhaven can confirm that a malicious cyberattack occurred on Christmas Eve, affecting our Chrome extension," the statement said.

It cited public comments from cybersecurity experts. These comments, said Cyberhaven, suggested that the attack was "part of a wider campaign to target Chrome extension developers across a wide range of companies." Cyberhaven added: "We are actively cooperating with federal law enforcement." The geographical extent of the hacks was not immediately clear.

A ninth U.S. telecommunications company has been compromised in a Chinese espionage campaign that targeted private communications, particularly around Washington D.C., White House Deputy National Security Adviser Anne Neuberger said Friday.

The intrusion, part of the "Salt Typhoon" operation that previously hit eight telecom firms, allowed hackers to access customer call records and private messages. While the total number of affected Americans remains unclear, many targets were government officials and political figures in the Washington-Virginia area.

A wave of fraudulent copyright takedowns on YouTube has exposed vulnerabilities in the platform's content moderation system, enabling anonymous users to threaten creators' channels through false legal claims, The Verge is reporting. Several gaming content creators, including a channel with 1.5 million subscribers, received takedown notices from someone impersonating Nintendo's legal team. Though YouTube acknowledged the false claims, the company declined to explain how it verifies takedown requests or detail measures to prevent abuse of its copyright system.

Microsoft is warning that Windows 11 installations using USB or CD media created with October or November 2024 security updates may be unable to receive future security patches.

The bug affects version 24H2 installations made between October 8 and November 12, but does not impact systems updated through Windows Update or the Microsoft Update Catalog. Microsoft advised users to rebuild installation media using December 2024 patches while it works on a permanent fix for the issue, which primarily affects business and education environments.

Japan Airlines said it was hit by a cyberattack Thursday, causing delays to more than 20 domestic flights but the carrier said there was no impact on flight safety. From a report: JAL said the problem started Thursday morning when the company's network connecting internal and external systems began malfunctioning. The airline said the cyberattack had delayed 24 domestic flights for more than 30 minutes, and the impact could expand later in the day.

An anonymous reader shares a report: Microsoft has published a year in review for its Edge browser and talked up AI-powered chats while lightly skipping over the software's stagnating market share. The company had some big numbers to share. There had been over 10 billion AI-powered chats with Copilot from inside the Edge browser window (although it did not disclose how many chats were customers asking how to install Chrome). Some 38 trillion characters had been auto-translated. Seven trillion megabytes of PC memory had been saved through the use of sleeping tabs.

However, are those numbers actually as big as they seem? What Microsoft did not say is how little Edge has moved the needle on market share in 2024. Strangely, the company did not share raw usage information. Yet, a look at Statcounter's figures for browser desktop market share showed Edge with 11.9 percent of the market in December 2023 and reaching 12.87 percent by November 2024 -- an increase of less than 1 percent. The market leader, Google's Chrome browser, went from 65.23 percent to 66.33 percent in the same period. That's only slightly more than 1 percent, but it still maintains its dominance.

An anonymous reader quotes a report from the Boston Globe: Every weekday morning at 8:30, Preston Thorpe makes himself a cup of instant coffee and opens his laptop to find the coding tasks awaiting his seven-person team at Unlocked Labs. Like many remote workers, Thorpe, the nonprofit's principal engineer, works out in the middle of the day and often stays at his computer late into the night. But outside Thorpe's window, there's a soaring chain-link fence topped with coiled barbed wire. And at noon and 4 p.m. every day, a prison guard peers into his room to make sure he's where he's supposed to be at the Mountain View Correctional Facility in Charleston, Maine, where he's serving his 12th year for two drug-related convictions in New Hampshire, including intent to distribute synthetic opioids.

Remote work has spread far and wide since the pandemic spurred a work-from-home revolution of sorts, but perhaps no place more unexpectedly than behind prison walls. Thorpe is one of more than 40 people incarcerated in Maine's state prison system who have landed internships and jobs with outside companies over the past two years -- some of whom work full time from their cells and earn more than the correctional officers who guard them. A handful of other states have also started allowing remote work in recent years, but none have gone as far as Maine, according to the Alliance for Higher Education in Prison, the nonprofit leading the effort.

Unlike incarcerated residents with jobs in the kitchen or woodshop who earn just a few hundred dollars a month, remote workers make fair-market wages, allowing them to pay victim restitution fees and legal costs, provide child support, and contribute to Social Security and other retirement funds. Like inmates in work-release programs who have jobs out in the community, 10 percent of remote workers' wages go to the state to offset the cost of room and board. All Maine DOC residents get re-entry support for housing and job searches before they're released, and remote workers leave with even more: up-to-date resumes, a nest egg -- and the hope that they're less likely to need food or housing assistance, or resort to crime to get by.

In 2024, North Korean state-sponsored hackers stole $1.34 billion in cryptocurrency across 47 attacks, marking a 102.88% increase from 2023 and accounting for 61% of global crypto theft. BleepingComputer reports: Although the total number of incidents in 2024 reached a record-breaking 303, the total losses figure isn't unprecedented, as 2022 remains the most damaging year with $3.7 billion. Chainalysis says most of the incidents this year occurred between January and July, during which 72% of the total amount for 2024 was stolen. The report highlights the DMM Bitcoin hack from May, where over $305 million was lost, and the WazirX cyberheist from July, which resulted in the loss of $235 million.

As for what types of platforms suffered the most damage, DeFi platforms were followed by centralized services. Regarding the means, the analysts report that private key compromises accounted for 44% of the losses, while exploitation of security flaws corresponded to just 6.3% of stolen cryptocurrency. This is a sign that security audits have a significant effect on reducing exploitable flaws on the platforms. However, stricter security practices in the handling of private keys need to be implemented.

ASUS computer owners have been reporting widespread alarm after a Christmas-themed banner suddenly appeared on their Windows 11 screens, accompanied by a suspicious "Christmas.exe" process in Task Manager.

The promotional campaign, first reported by WindowsLatest, was delivered through ASUS' pre-installed Armoury Crate software. It displays a large wreath banner that covers one-third of users' screens. The unbranded holiday display, which can interrupt gaming sessions and occasionally crashes applications, has triggered security concerns among users who initially mistook it for malware.

An anonymous reader quotes a report from Ars Technica: Health care company Ascension lost sensitive data for nearly 5.6 million individuals in a cyberattack that was attributed to a notorious ransomware gang, according to documents filed with the attorney general of Maine. Ascension owns 140 hospitals and scores of assisted living facilities. In May, the organization was hit with an attack that caused mass disruptions as staff was forced to move to manual processes that caused errors, delayed or lost lab results, and diversions of ambulances to other hospitals. Ascension managed to restore most services by mid-June. At the time, the company said the attackers had stolen protected health information and personally identifiable information for an undisclosed number of people.

A filing Ascension made earlier in December revealed that nearly 5.6 million people were affected by the breach. Data stolen depended on the particular person but included individuals' names and medical information (e.g., medical record numbers, dates of service, types of lab tests, or procedure codes), payment information (e.g., credit card information or bank account numbers), insurance information (e.g., Medicaid/Medicare ID, policy number, or insurance claim), government identification (e.g., Social Security numbers, tax identification numbers, driver's license numbers, or passport numbers), and other personal information (such as date of birth or address). Ascension is now in the process of notifying affected individuals. The organization is also offering two years of credit and fraud monitoring, a $1 million insurance reimbursement policy, and managed ID theft recovery services. The services became effective last Thursday. Further reading: Black Basta Ransomware Attack Brought Down Ascension IT Systems, Report Finds