An anonymous reader quotes a report from BleepingComputer: Have I Been Pwned has added almost 71 million email addresses associated with stolen accounts in the Naz.API dataset to its data breach notification service. The Naz.API dataset is a massive collection of 1 billion credentials compiled using credential stuffing lists and data stolen by information-stealing malware. Credential stuffing lists are collections of login name and password pairs stolen from previous data breaches that are used to breach accounts on other sites.

Information-stealing malware attempts to steal a wide variety of data from an infected computer, including credentials saved in browsers, VPN clients, and FTP clients. This type of malware also attempts to steal SSH keys, credit cards, cookies, browsing history, and cryptocurrency wallets. The stolen data is collected in text files and images, which are stored in archives called "logs." These logs are then uploaded to a remote server to be collected later by the attacker. Regardless of how the credentials are stolen, they are then used to breach accounts owned by the victim, sold to other threat actors on cybercrime marketplaces, or released for free on hacker forums to gain reputation amongst the hacking community.

The Naz.API is a dataset allegedly containing over 1 billion lines of stolen credentials compiled from credential stuffing lists and from information-stealing malware logs. It should be noted that while the Naz.API dataset name includes the word "Naz," it is not related to network attached storage (NAS) devices. This dataset has been floating around the data breach community for quite a while but rose to notoriety after it was used to fuel an open-source intelligence (OSINT) platform called illicit.services. This service allows visitors to search a database of stolen information, including names, phone numbers, email addresses, and other personal data. The service shut down in July 2023 out of concerns it was being used for Doxxing and SIM-swapping attacks. However, the operator enabled the service again in September. Illicit.services use data from various sources, but one of its largest sources of data came from the Naz.API dataset, which was shared privately among a small number of people. Each line in the Naz.API data consists of a login URL, its login name, and an associated password stolen from a person's device, as shown [here]. "Here's the back story: this week I was contacted by a well-known tech company that had received a bug bounty submission based on a credential stuffing list posted to a popular hacking forum," explained Troy Hunt, the creator of Have I Been Pwned, in blog post. "Whilst this post dates back almost 4 months, it hadn't come across my radar until now and inevitably, also hadn't been sent to the aforementioned tech company."

"They took it seriously enough to take appropriate action against their (very sizeable) user base which gave me enough cause to investigate it further than your average cred stuffing list."

To check if your credentials are in the Naz.API dataset, you can visit Have I Been Pwned.

An anonymous reader quotes a report from TechCrunch: The Apple-versus-Beeper saga is not over yet it seems, even though the iMessage-on-Android Beeper Mini was removed from the Play Store last week. Now, Apple customers who used Beeper's apps are reporting that they've been banned from using iMessage on their Macs -- a move Apple may have taken to disable Beeper's apps from working properly, but ultimately penalizes its own customers for daring to try a non-Apple solution for accessing iMessage. The latest follows a contentious game of cat-and-mouse between Apple and Beeper, which Apple ultimately won. [...]

According to users' recounting of their tech support experiences with Apple, the support reps are telling them their computer has been flagged for spam, or for sending too many messages — even though that's not the case, some argued. This has led many Beeper users to believe this is how Apple is flagging them for removal from the iMessage network. One Beeper customer advised others facing this problem to ask Apple if their Mac was in a "throttled status" or if their Apple ID was blocked for spam to get to the root of the issue. Admitting up front that third-party software was to blame would sometimes result in the support rep being able to lift the ban, some noted.

The news of the Mac bans was earlier reported by Apple news site AppleInsider and Times of India, and is being debated on Y Combinator forum site Hacker News. On the latter, some express their belief that the retaliation against Apple's own users is justified as they had violated Apple's terms, while others said that iMessage interoperability should be managed through regulation, not rogue apps. Far fewer argued that Apple is exerting its power in an anticompetitive fashion here.

Version 9.0 of Wine, the free and open-source compatibility layer that lets you run Windows apps on Unix-like operating systems, has been released. "Highlights of Wine 9.0 include an experimental Wayland graphics driver with features like basic window management, support for multiple monitors, high-DPI scaling, relative motion events, as well as Vulkan support," reports 9to5Linux. From the report: The Vulkan driver has been updated to support Vulkan 1.3.272 and later, the PostScript driver has been reimplemented to work from Windows-format spool files and avoid any direct calls from the Unix side, and there's now a dark theme option on WinRT theming that can be enabled in WineCfg. Wine 9.0 also adds support for many more instructions to Direct3D 10 effects, implements the Windows Media Video (WMV) decoder DirectX Media Object (DMO), implements the DirectShow Audio Capture and DirectShow MPEG-1 Video Decoder filters, and adds support for video and system streams, as well as audio streams to the DirectShow MPEG-1 Stream Splitter filter.

Desktop integration has been improved in this release to allow users to close the desktop window in full-screen desktop mode by using the "Exit desktop" entry in the Start menu, as well as support for export URL/URI protocol associations as URL handlers to the Linux desktop. Audio support has been enhanced in Wine 9.0 with the implementation of several DirectMusic modules, DLS1 and DLS2 sound font loading, support for the SF2 format for compatibility with Linux standard MIDI sound fonts, Doppler shift support in DirectSound, Indeo IV50 Video for Windows decoder, and MIDI playback in dmsynth.

Among other noteworthy changes, Wine 9.0 brings loader support for ARM64X and ARM64EC modules, along with the ability to run existing Windows binaries on ARM64 systems and initial support for building Wine for the ARM64EC architecture. There's also a new 32-bit x86 emulation interface, a new WoW64 mode that supports running of 32-bit apps on recent macOS versions that don't support 32-bit Unix processes, support for DirectInput action maps to improve compatibility with many old video games that map controller inputs to in-game actions, as well as Windows 10 as the default Windows version for new prefixes. Last but not least, the kernel has been updated to support address space layout randomization (ASLR) for modern PE binaries, better memory allocation performance through the Low Fragmentation Heap (LFH) implementation, and support memory placeholders in the virtual memory allocator to allow apps to reserve virtual space. Wine 9.0 also adds support for smart cards, adds support for Diffie-Hellman keys in BCrypt, implements the Negotiate security package, adds support for network interface change notifications, and fixes many bugs. For a full list of changes, check out the release notes. You can download Wine 9.0 from WineHQ.

AI tools already allow people to generate eerily convincing voice clones and deepfake videos. Soon, AI could also be used to mimic a person's handwriting style. Bloomberg: Researchers at Abu Dhabi's Mohamed bin Zayed University of Artificial Intelligence (MBZUAI) say they have developed technology that can imitate someone's handwriting based on just a few paragraphs of written material. To accomplish that, the researchers used a transformer model, a type of neural network designed to learn context and meaning in sequential data. The team at MBZUAI, which calls itself the world's first AI university, has been granted a patent by the US Patent and Trademark Office for the artificial intelligence system.

The researchers have not yet released the feature, but it represents a step forward in an area that has drawn interest from academics for years. There have been apps and even robots that can generate handwriting, but recent advances in AI have accelerated character recognition techniques dramatically. As with other AI tools, however, it's unclear if the benefits will outweigh the harms. The technology could help the injured to write without picking up a pen, but it also risks opening the door to mass forgeries and misuse. The tool will need to be deployed thoughtfully, two of the researchers said in an interview.

America's Environmental Protection Agency "has signed off on a California oil company's plans to permanently store carbon emissions deep underground to combat global warming," reports the Los Angeles Times: California Resources Corp., the state's largest oil and gas company, applied for permission to send 1.46 million metric tons of carbon dioxide each year into the Elk Hills oil field, a depleted oil reservoir about 25 miles outside of downtown Bakersfield. The emissions would be collected from several industrial sources nearby, compressed into a liquid-like state and injected into porous rock more than one mile underground.

Although this technique has never been performed on a large scale in California, the state's climate plan calls for these operations to be widely deployed across the Central Valley to reduce carbon emissions from industrial facilities. The EPA issued a draft permit for the California Resources Corp. project, which is poised to be finalized in March following public comments. As California transitions away from oil production, a new business model for fossil fuel companies has emerged: carbon management. Oil companies have heavily invested in transforming their vast network of exhausted oil reservoirs into a long-term storage sites for planet-warming gases, including California Resources Corp., the largest nongovernmental owner of mineral rights in California...

[Environmentalists] say that the transportation and injection of CO2 — an asphyxiating gas that displaces oxygen — could lead to dangerous leaks. Nationwide, there have been at least 25 carbon dioxide pipeline leaks between 2002 and 2021, according to the U.S. Department of Transportation. Perhaps the most notable incident occurred in Satartia, Miss., in 2020 when a CO2 pipeline ruptured following heavy rains. The leak led to the hospitalization of 45 people and the evacuation of 200 residents... Under the EPA draft permit, California Resources Corp. must take a number of steps to mitigate these risks. The company must plug 157 wells to ensure the CO2 remains underground, monitor the injection site for leaks and obtain a $33-million insurance policy.
Canadian-based Brookfield Corporation also invested $500 million, according to the article, with California Resources Corp. seeking permits for five projects — more than any company in the nation. "It's kind of reversing the role, if you will," says their chief sustainability officer. "Instead of taking oil and gas out, we're putting carbon in."

Meanwhile, there's applications for "about a dozen" more projects in California's Central Valley that could store millions of tons of carbon emissions in old oil and gas fields — and California Resources Corp says greater Los Angeles is also "being evaluated" as a potential storage site.

Generative AI "doesn't easily carry over into robotics," write two researchers in IEEE Spectrum, "because the Internet is not full of robotic-interaction data in the same way that it's full of text and images."

That's why they're working on a single deep neural network capable of piloting many different types of robots... Robots need robot data to learn from, and this data is typically created slowly and tediously by researchers in laboratory environments for very specific tasks... The most impressive results typically only work in a single laboratory, on a single robot, and often involve only a handful of behaviors... [W]hat if we were to pool together the experiences of many robots, so a new robot could learn from all of them at once? We decided to give it a try. In 2023, our labs at Google and the University of California, Berkeley came together with 32 other robotics laboratories in North America, Europe, and Asia to undertake the RT-X project, with the goal of assembling data, resources, and code to make general-purpose robots a reality...

The question is whether a deep neural network trained on data from a sufficiently large number of different robots can learn to "drive" all of them — even robots with very different appearances, physical properties, and capabilities. If so, this approach could potentially unlock the power of large datasets for robotic learning. The scale of this project is very large because it has to be. The RT-X dataset currently contains nearly a million robotic trials for 22 types of robots, including many of the most commonly used robotic arms on the market...

Surprisingly, we found that our multirobot data could be used with relatively simple machine-learning methods, provided that we follow the recipe of using large neural-network models with large datasets. Leveraging the same kinds of models used in current LLMs like ChatGPT, we were able to train robot-control algorithms that do not require any special features for cross-embodiment. Much like a person can drive a car or ride a bicycle using the same brain, a model trained on the RT-X dataset can simply recognize what kind of robot it's controlling from what it sees in the robot's own camera observations. If the robot's camera sees a UR10 industrial arm, the model sends commands appropriate to a UR10. If the model instead sees a low-cost WidowX hobbyist arm, the model moves it accordingly.
"To test the capabilities of our model, five of the laboratories involved in the RT-X collaboration each tested it in a head-to-head comparison against the best control system they had developed independently for their own robot... Remarkably, the single unified model provided improved performance over each laboratory's own best method, succeeding at the tasks about 50 percent more often on average." And they then used a pre-existing vision-language model to successfully add the ability to output robot actions in response to image-based prompts.

"The RT-X project shows what is possible when the robot-learning community acts together... and we hope that RT-X will grow into a collaborative effort to develop data standards, reusable models, and new techniques and algorithms."

Thanks to long-time Slashdot reader Futurepower(R) for sharing the article.

An anonymous reader quotes a report from The Guardian: Joe Biden's administration has unveiled $623 million in funding to boost the number of electric vehicle charging points in the U.S., amid concerns that the transition to zero-carbon transportation isn't keeping pace with goals to tackle the climate crisis. The funding will be distributed in grants for dozens of programs across 22 states, such as EV chargers for apartment blocks in New Jersey, rapid chargers in Oregon and hydrogen fuel chargers for freight trucks in Texas. In all, it's expected the money, drawn from the bipartisan infrastructure law, will add 7,500 chargers to the US total.

There are about 170,000 electric vehicle chargers in the U.S., a huge leap from a network that was barely visible prior to Biden taking office, and the White House has set a goal for 500,000 chargers to help support the shift away from gasoline and diesel cars. "The U.S. is taking the lead globally on electric vehicles," said Ali Zaidi, a climate adviser to Biden who said the US is on a trajectory to "meet and exceed" the administration's charger goal. "We will continue to see this buildout over the coming years and decades until we've achieved a fully net zero transportation sector," he added. On Thursday, the House approved legislation to undo a Biden administration rule meant to facilitate the proliferation of EV charging stations. "S. J. Res. 38 from Sen. Marco Rubio (R-Fla.), would scrap a Federal Highway Administration waiver from domestic sourcing requirements for EV chargers funded by the 2021 bipartisan infrastructure law. It already passed the Senate 50-48," reports Politico.

"A waiver undercuts domestic investments and risks empowering foreign nations," said Rep. Sam Graves (R-Mo.), chair of the Transportation and Infrastructure Committee, during House debate Thursday. "If the administration is going to continue to push for a massive transition to EVs, it should ensure and comply with Buy America requirements." The White House promised to veto it and said it would backfire, saying it was so poorly worded it would actually result in fewer new American-made charging stations.

Just six days after being launched atop a Falcon 9 rocket, one of SpaceX's six Starlink satellites was used to send text messages for the first time. Space.com reports: That update didn't reveal what the first Starlink direct-to-cell text said. In a post on X on Wednesday, SpaceX founder and CEO Elon Musk said the message was "LFGMF2024," but the chances are fairly high that he was joking. [...] Beaming connectivity service from satellites directly to smartphones -- which SpaceX is doing via a partnership with T-Mobile -- is a difficult proposition, as SpaceX noted in Wednesday's update.

"For example, in terrestrial networks cell towers are stationary, but in a satellite network they move at tens of thousands of miles per hour relative to users on Earth," SpaceX wrote. "This requires seamless handoffs between satellites and accommodations for factors like Doppler shift and timing delays that challenge phone-to-space communications. Cell phones are also incredibly difficult to connect to satellites hundreds of kilometers away, given a mobile phone's low antenna gain and transmit power."

The direct-to-cell Starlink satellites overcome these challenges thanks to "innovative new custom silicon, phased-array antennas and advanced software algorithms," SpaceX added. Overcoming tough challenges can lead to great rewards, and that's the case here, according to SpaceX President Gwynne Shotwell. "Satellite connectivity direct to cell phones will have a tremendous impact around the world, helping people communicate wherever and whenever they want or need to," Shotwell said via X on Wednesday.

Stephen Harrison, an Englishman living in Thailand who posed as chief executive Steven Reece Lewis for the launch of the HyperVerse crypto scheme, told the Guardian Australia that he was paid to play the role of chief executive but denies having 'pocketed' any of the money lost. He says he received 180,000 Thai baht (about $7,500) over nine months and a free suit, adding that he was "shocked" to learn the company had presented him as having fake credentials to promote the scheme. From the report: He said he felt sorry for those who had lost money in relation to the scheme -- which he said he had no role in -- an amount Chainalysis estimates at US$1.3 billion in 2022 alone. "I am sorry for these people," he said. "Because they believed some idea with me at the forefront and believed in what I said, and God knows what these people have lost. And I do feel bad about this. "I do feel deeply sorry for these people, I really do. You know, it's horrible for them. I just hope that there is some resolution. I know it's hard to get the money back off these people or whatever, but I just hope there can be some justice served in all of this where they can get to the bottom of this." He said he wanted to make clear he had "certainly not pocketed" any of the money lost by investors.

Harrison, who at the time was a freelance television presenter engaged in unpaid football commentary, said he had been approached and offered the HyperVerse work by a friend of a friend. He said he was new to the industry and had been open to picking up more work and experience as a corporate "presenter." "I was told I was acting out a role to represent the business and many people do this," Harrison said. He said he trusted his agent and accepted that. After reading through the scripts he said he was initially suspicious about the company he was hired to represent because he was unfamiliar with the crypto industry, but said he had been reassured by his agent that the company was legitimate. He said he had also done some of his own online research into the organization and found articles about the Australian blockchain entrepreneur and HyperTech chairman Sam Lee. "I went away and I actually looked at the company because I was concerned that it could be a scam," Harrison said. "So I looked online a bit and everything seemed OK, so I rolled with it." The HyperVerse crypto scheme was promoted by Lee and his business partner Ryan Xu, both of which were founders of the collapsed Australian bitcoin company Blockchain Global. "Blockchain Global owes creditors $58 million and its liquidator has referred Xu and Lee to the Australian Securities and Investments Commission for alleged possible breaches of the Corporations Act," reports The Guardian. "Asic has said it does not intend to take action at this time."

Rodney Burton, known as "Bitcoin Rodney," was arrested and charged in the U.S on Monday for his alleged role in promoting the HyperVerse crypto scheme. The IRS alleges Burton was "part of a network that made 'fraudulent' presentations claiming high returns for investors based on crypto-mining operations that did not exist," reports The Guardian.

An anonymous reader quotes a report from the New York Times: When Microsoft opened an advanced research lab in Beijing in 1998, it was a time of optimism about technology and China. The company hired hundreds of researchers for the lab, which pioneered Microsoft's work in speech, image and facial recognition and the kind of artificial intelligence that later gave rise to online chatbots likeChatGPT. The Beijing operation eventually became one of the most important A.I. labs in the world. Bill Gates, Microsoft's co-founder, called it an opportunity to tap China's "deep pool of intellectual talent." But as tensions between the United States and China have mounted over which nation will lead the world's technological future, Microsoft's top leaders -- including Satya Nadella, its chief executive, and Brad Smith, its president -- have debated what to do with the prized lab for at least the past year, four current and former Microsoft employees said.

The company has faced questions from U.S. officials over whether maintaining a 200-person advanced technologies lab in China is tenable, the people said. Microsoft said it had instituted guardrails at the lab, restricting researchers from politically sensitive work. The company, which is based in Redmond, Wash., said it had also opened an outpost of the lab in Vancouver, British Columbia, and would move some researchers from China to the location. The outpost is a backup if more researchers need to relocate, two people said. The idea of shutting down or moving the lab has come up, but Microsoft's leaders support continuing it in China, four people said. "We are as committed as ever to the lab and the world-class research of this team," Peter Lee, who leads Microsoft Research, a network of eight labs across the world, said in a statement. Using the lab's formal name, he added, "There has been no discussion or advocacy to close Microsoft Research Asia, and we look forward to continuing our research agenda."

Previously unknown self-replicating malware has been infecting Linux devices worldwide, installing cryptomining malware using unusual concealment methods. The worm is a customized version of Mirai botnet malware, which takes control of Linux-based internet-connected devices to infect others. Mirai first emerged in 2016, delivering record-setting distributed denial-of-service attacks by compromising vulnerable devices. Once compromised, the worm self-replicates by scanning for and guessing credentials of additional vulnerable devices. While traditionally used for DDoS attacks, this latest variant focuses on covert cryptomining. ArsTechnica adds: On Wednesday, researchers from network security and reliability firm Akamai revealed that a previously unknown Mirai-based network they dubbed NoaBot has been targeting Linux devices since at least last January. Instead of targeting weak telnet passwords, the NoaBot targets weak passwords connecting SSH connections. Another twist: Rather than performing DDoSes, the new botnet installs cryptocurrency mining software, which allows the attackers to generate digital coins using victims' computing resources, electricity, and bandwidth. The cryptominer is a modified version of XMRig, another piece of open source malware. More recently, NoaBot has been used to also deliver P2PInfect, a separate worm researchers from Palo Alto Networks revealed last July.

Akamai has been monitoring NoaBot for the past 12 months in a honeypot that mimics real Linux devices to track various attacks circulating in the wild. To date, attacks have originated from 849 distinct IP addresses, almost all of which are likely hosting a device that's already infected. The following figure tracks the number of attacks delivered to the honeypot over the past year.

25 years ago, Slashdot's CmdrTaco posted an announcement from Slashdot reader #257. "Jabber is a new project I recently started to create a complete open-source platform for Instant Messaging with transparent communication to other Instant Messaging systems (ICQ, AIM, etc).

"Most of the initial design and protocol work is done, as well as a working server and a few test clients."

You can find the rest of the story on Wikipedia. "Its major outcome proved to be the development of the XMPP protocol." ("Based on XML, it enables the near-real-time exchange of structured data between two or more network entities.") Originally developed by the open-source community, the protocols were formalized as an approved instant messaging standard in 2004 and have been continuously developed with new extensions and features... In addition to these core protocols standardized at the IETF, the XMPP Standards Foundation (formerly the Jabber Software Foundation) is active in developing open XMPP extensions...

XMPP features such as federation across domains, publish/subscribe, authentication and its security even for mobile endpoints are being used to implement the Internet of Things.
"Designed to be extensible, the protocol offers a multitude of applications beyond traditional IM in the broader realm of message-oriented middleware, including signalling for VoIP, video, file transfer, gaming and other uses..."

Slashdot reader #257 turned out to be Jeremie Miller (who at the time was just 23 years old). And according to his own page on Wikipedia, "Currently, Miller sits on the board of directors for Bluesky Social, a social media platform."

CNN reports that some Verizon customers "might have found an unexpected surprise in the mail this week: An opportunity to receive a refund as part of a proposed $100 million settlement from a class-action lawsuit." Eligible customers are receiving postcards or emails alerting them to file a claim by April 15 to receive up to $100, which is the result of the lawsuit accusing Verizon of charging fees that were "unfair and not adequately disclosed."

At issue is Verizon's "administrative charge," which the plaintiffs said were "misleading" because that fee wasn't disclosed in their plan's advertised monthly price and were charged in a "deceptive and unfair manner." Verizon has denied the claims and said in a statement that it "clearly identifies and describes its wireless consumer admin charge multiple times during the sales transaction, as well as in its marketing, contracts and billing." A company spokesperson said that the charge "helps our company recover certain regulatory compliance and network related costs."
"The payout is at least $15," adds CNN, "and might be more depending on how long the customer used Verizon and the number of customers who file a claim."

More than 4 million electric vehicles are now on America's roads. And Friday the U.S. Energy announced that more than a third of them (1.4 million) were sold within the last year.

That's 50% more than were sold in the previous year — and about the same number sold in the entire five years between 2016 and 2021. But the energy secretary's statement also touts the current administrations efforts at "building out a reliable and interoperable nationwide EV charging network — an undertaking never before seen in the United States." Today, the U.S. has close to 170,000 public EV chargers — a 75% increase since the president took office with nearly 900 new chargers coming online per week.

These developments are part of an inevitable shift toward a thriving electric transportation sector — a shift that American automakers and battery manufacturers are already carrying forward.

Business Insider's Kelli Maria Korducki reports on a growing trend happening on LinkedIn: some people are using the professional network for personal connections, fielding romantic offers amid job postings. But that leaves the question: Is it a good idea to mix work and love? From the report: Dustin Kidd, a professor of sociology at Temple University who researches social media and pop culture, said that dating via LinkedIn belonged to a long tradition of "dating hacks" -- using online tools designed for other purposes to snag a date. "In the aughts, this happened with Friendster and then Myspace," Kidd said, but has since spread to myriad platforms that are ostensibly romance-free. Even fitness-tracking sites such as Strava are fair game. The common thread for love-hijacked social-media sites is a single feature, Kidd said: DMs. "The design of LinkedIn helps to maintain its focus on the professional, but any platform with a direct-messaging option is likely to also be used to pursue sex and dating," he told me. The ease and relative privacy of direct messaging help explain how some people are using LinkedIn for romance, but it doesn't explain why. In an age with so many dedicated dating platforms -- from giants such as Tinder, Bumble, and Hinge to niche apps including Feeld (for the unconventional), Pure (for the noncommittal), and NUiT (for the astrologically inclined) -- why mix Cupid's arrow with corporate updates?

Any type of social media where you can see people's pictures can turn into a dating app. And LinkedIn is even better because it's not just showing people's fake lives. One answer may be the growing number of Americans who have gotten tired of the roulette-like experience that comes with modern dating apps. In a 2023 Pew survey of US adults, nearly one-third of respondents said they had used an online dating site or app at least once. More than half of women who had used the apps reported feeling overwhelmed by the number of messages they had received in the past year, while 64% of men said they felt insecure from the lack of messages they had gotten. Though an overwhelming majority of men and women said they'd felt excited about people they connected with, an even-larger proportion of respondents said they were sometimes or often disappointed by their matches. [...]

LinkedIn's appeal as a dating site, according to people who use it that way, is the platform's ability to give back some of that control and boost the caliber of their prospects. Because the professional-networking site asks users to link to their current and former employers' profile pages, it offers an additional layer of credibility that other social-media platforms lack. Many profiles also include first-person references from former colleagues and managers -- real people with real profile pages. [...] Even for those who shy away from using LinkedIn to angle for dates, the site has become a go-to tool for vetting romantic candidates found through conventional dating apps or in-person encounters. "Social media is just one big dating app," [said Samuela John, a 24-year-old personal organizer in New York City who developed chemistry with an oil-industry man on the platform]. "Any type of social media where you can see people's pictures can turn into a dating app. And LinkedIn is even better because it's not just showing people's fake lives." [...] "I don't think you should go into it like, 'All right, I'm going to find my husband on LinkedIn,'" John said. "I think you should go about it as if you were just networking, like in a casual sense. And then if you end up meeting the person, see the vibes and then go from there."

Dan Goodin reports via Ars Technica: Software maker Ivanti is urging users of its end-point security product to patch a critical vulnerability that makes it possible for unauthenticated attackers to execute malicious code inside affected networks. The vulnerability, in a class known as a SQL injection, resides in all supported versions of the Ivanti Endpoint Manager. Also known as the Ivanti EPM, the software runs on a variety of platforms, including Windows, macOS, Linux, Chrome OS, and Internet of Things devices such as routers. SQL injection vulnerabilities stem from faulty code that interprets user input as database commands or, in more technical terms, from concatenating data with SQL code without quoting the data in accordance with the SQL syntax. CVE-2023-39336, as the Ivanti vulnerability is tracked, carries a severity rating of 9.6 out of a possible 10.

"If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication," Ivanti officials wrote Friday in a post announcing the patch availability. "This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server." RCE is short for remote code execution, or the ability for off-premises attackers to run code of their choice. Currently, there's no known evidence the vulnerability is under active exploitation. Ivanti has also published a disclosure that is restricted only to registered users. A copy obtained by Ars said Ivanti learned of the vulnerability in October. [...]

Putting devices running Ivanti EDM behind a firewall is a best practice and will go a long way to mitigating the severity of CVE-2023-39336, but it would likely do nothing to prevent an attacker who has gained limited access to an employee workstation from exploiting the critical vulnerability. It's unclear if the vulnerability will come under active exploitation, but the best course of action is for all Ivanti EDM users to install the patch as soon as possible.

Orange Espana, Spain's second-biggest mobile operator, suffered a major outage on Wednesday after an unknown party obtained a "ridiculously weak" password and used it to access an account for managing the global routing table that controls which networks deliver the company's Internet traffic, researchers said. From a report: The hijacking began around 9:28 Coordinated Universal Time (about 2:28 Pacific time) when the party logged into Orange's RIPE NCC account using the password "ripeadmin" (minus the quotation marks). The RIPE Network Coordination Center is one of five Regional Internet Registries, which are responsible for managing and allocating IP addresses to Internet service providers, telecommunication organizations, and companies that manage their own network infrastructure. RIPE serves 75 countries in Europe, the Middle East, and Central Asia.

The password came to light after the party, using the moniker Snow, posted an image to social media that showed the orange.es email address associated with the RIPE account. RIPE said it's working on ways to beef up account security. Security firm Hudson Rock plugged the email address into a database it maintains to track credentials for sale in online bazaars. In a post, the security firm said the username and "ridiculously weak" password were harvested by information-stealing malware that had been installed on an Orange computer since September. The password was then made available for sale on an infostealer marketplace.

According to MoffettNathanson, the U.S. pay-TV industry had its worst-ever third quarter after losing about 900,000 subscribers. "That poor result, the research firm added, left the total pay-TV industry shrinking at a record pace of -7.3%, widened from a year-ago decline of -5.9%," reports Light Reading. "It also left pay-TV penetration of occupied households (including vMVPDs) at just 54.8% -- a level last seen in 1989, five years before the debut of DirecTV." From the report: Drilling down on Q3 results, traditional pay-TV providers (cable, telco and satellite) shed 1.97 million subscribers, widened from a loss of 1.94 million in the year-ago quarter. Within that category, US cable lost 1.10 million video subs in Q3, versus a loss of -1.09 million in the year-ago period. Satellite operators (Dish Network and DirecTV) lost 667,000 subs in Q3, versus -567,000 in the year-ago quarter. Telco TV providers lost 198,000 video subs in the period, an improvement when compared to a year-ago loss of -250,000 subs.

vMVPDs, meanwhile, added 1.08 million in Q3, down from a year-ago gain of about 1.34 million. Despite those gains, vMVPDs recaptured only 21.7% of traditional pay-TV's subscriber losses in the period, according to MoffettNathanson. Meanwhile, YouTube TV continues to dominate the vMVPD category. MoffettNathanson estimates that YouTube TV added about 350,000 subs in Q3, extending its total to 7 million -- representing 40% of the vMVPD sector's 18 million subscriber total. "Based on our Q3 estimate, YouTube TV has now surpassed Dish Network [6.72 million satellite TV subs at the end of Q3] to become the country's fourth largest MVPD of any kind," Moffett noted. "At the current trajectory, YouTube TV should pass DirecTV for third place in less than a year."

An international law firm that works with companies affected by security incidents has experienced its own cyberattack that exposed the sensitive health information of hundreds of thousands of data breach victims. From a report: San Francisco-based Orrick, Herrington & Sutcliffe said last week that hackers stole the personal information and sensitive health data of more than 637,000 data breach victims from a file share on its network during an intrusion in March 2023. Orrick works with companies that are hit by security incidents, including data breaches, to handle regulatory requirements, such as obtaining victims' information in order to notify state authorities and the individuals affected. In a series of data breach notification letters sent to affected individuals, Orrick said the hackers stole reams of data from its systems that pertain to security incidents at other companies, during which Orrick served as legal counsel.

Germany's emissions hit a 70-year low last year as Europe's largest economy reduced its reliance on coal. From a report: A study by the thinktank Agora Energiewende found that Germany emitted 673m tonnes of greenhouse gases in 2023, 73m tonnes fewer than in 2022. The drop was "largely attributable to a strong decrease in coal power generation," Agora said, accounting for a reduction of 46m tonnes in CO2 emissions. Emissions from industry fell significantly, largely due to a decline in production by energy-intensive companies.

Electricity generation from renewable sources was more than 50% of the total in 2023 for the first time, while coal's share dropped to 26% from 34%, according to the federal network agency. Germany had resorted to coal following the Russian invasion of Ukraine, when Moscow cut off gas supplies. But since then Germany has significantly reduced its use of the fossil fuels.