The federal government has spent $22 billion in recent years on technology from the top 100 national-security startups, a paltry portion of overall contract spending and less than half of what venture capitalists have invested in those same companies. WSJ: The gap underscores the discrepancy between the surge of venture capital funding for defense technology and the U.S. government's spending on substantial contracts to startups. The new numbers come from a report released Thursday by Silicon Valley Defense Group, a nonprofit that started a decade ago with the aim of bringing more startup innovation to the Defense Department.

According to the report, the top 100 venture capital-backed national security startups have raised a combined $53 billion in private funding since their inception, $11 billion of which has come in the past 12 months. Those same startups have collectively earned $22 billion in revenue from federal awards, $6 billion of which came from the Defense Department. The organization ranked the startups based on head count growth, total capital raised and other factors.ÂTraditional defense contractors receive hundreds of billions in awards every year.

Apple has issued a new round of threat notifications to iPhone users across 98 countries, warning them of potential mercenary spyware attacks. It's the second such alert campaign from the company this year, following a similar notification sent to users in 92 nations in April. TechCrunch: In its communication to affected users, Apple stressed the sensitive nature of its threat identification methods, cautioning that divulging additional details could potentially aid attackers in evading future detection. Apple has also made a notable shift in its language since last year, opting to describe these incidents as "mercenary spyware attacks" instead of the previously used term "state-sponsored" attacks.

An anonymous reader quotes a report from Reuters: The German government and mobile phone carriers have agreed in principle on steps to phase components by Chinese technology companies out of the nation's 5G wireless network over the next five years, two people familiar with the matter told Reuters on Wednesday. Newspaper Sueddeutsche Zeitung as well as broadcasters NDR and WDR earlier jointly reported the news, saying the agreement gives network operators Deutsche Telekom, Vodafone, and Telefonica Deutschland more time to replace critical parts. Under the preliminary agreement driven by security considerations, operators will initially rid the country's core network of 5G data centers of technology made by companies such as Huawei and ZTE in 2026, said the sources, adding that a final pact has yet to be signed. In a second phase, the role of Chinese makers' parts for antennas, transmission lines and towers should be all but eliminated by 2029, they added. "The government is acting on the basis of the national security strategy and China strategy to reduce possible security risks and dependencies," said a spokesperson for Germany's interior ministry.

Microsoft is under fire for its handling of customer notifications following a data breach by Russian state-sponsored hackers. The tech giant confirmed in March that the group known as Midnight Blizzard had accessed its systems, potentially compromising customer data. Cybersecurity experts, including former Microsoft employee Kevin Beaumont, have raised concerns about the notification process. Beaumont warned on social media that the company's emails may be mistaken for spam or phishing attempts due to their format and the use of unfamiliar links. "The notifications aren't in the portal, they emailed tenant admins instead," Beaumont stated, adding that the emails could be easily overlooked. Some recipients have reported confusion over the legitimacy of the notifications, with many seeking confirmation through support channels and account managers.

A bipartisan group of senators reached a new agreement on legislation that would ban members of Congress, their spouses and dependent children, as well as the president and vice president, from purchasing and selling stocks while in office. According to CNBC, it would also give lawmakers 90 days to sell their stocks. From the report: The proposal is the latest chapter in a yearslong saga in Congress to pass regulations that limit lawmakers' ability to buy and sell stocks, and the first one to get formal consideration by a Senate committee -- in this case the Homeland Security & Governmental Affairs Committee on July 24. Ethics experts say that legislators' access to the kind of information they receive gives them the potential of having an unfair advantage to the investing public.

Sens. Hawley, Jon Ossoff, D-Ga., Jeff Merkley, D-Ore., and Gary Peters, D-Mich., negotiated and announced the new details. If passed, the bill would also prohibit lawmakers' spouses and dependent children from trading stocks, beginning March 2027. Also starting that year, the U.S. president, vice president and all members of Congress would have to divest from any covered investments. The penalty for violating the divestment mandate, as proposed by the senators, would cost a lawmaker the greater amount of either their monthly salary, or 10% of the value of each covered asset in violation.

Amazon Web Services is the latest entrant to the generative AI game with the announcement of App Studio, a groundbreaking tool capable of building complex software applications from simple written prompts. TechCrunch's Ron Miller reports: "App Studio is for technical folks who have technical expertise but are not professional developers, and we're enabling them to build enterprise-grade apps," Sriram Devanathan, GM of Amazon Q Apps and AWS App Studio, told TechCrunch. Amazon defines enterprise apps as having multiple UI pages with the ability to pull from multiple data sources, perform complex operations like joins and filters, and embed business logic in them. It is aimed at IT professionals, data engineers and enterprise architects, even product managers who might lack coding skills but have the requisite company knowledge to understand what kinds of internal software applications they might need. The company is hoping to enable these employees to build applications by describing the application they need and the data sources they wish to use.

Examples of the types of applications include an inventory-tracking system or claims approval process. The user starts by entering the name of an application, calling the data sources and then describing the application they want to build. The system comes with some sample prompts to help, but users can enter an ad hoc description if they wish. It then builds a list of requirements for the application and what it will do, based on the description. The user can refine these requirements by interacting with the generative AI. In that way, it's not unlike a lot of no-code tools that preceded it, but Devanathan says it is different. [...] Once the application is complete, it goes through a mini DevOps pipeline where it can be tested before going into production. In terms of identity, security and governance, and other requirements any enterprise would have for applications being deployed, the administrator can link to existing systems when setting up the App Studio. When it gets deployed, AWS handles all of that on the back end for the customer, based on the information entered by the admin.

Google has streamlined its Advanced Protection Program, allowing users to enroll using a single passkey instead of two physical security keys. The program, designed for individuals at high risk of targeted online attacks, now uses built-in biometric authentication on Pixel phones and iPhones.

wiredmikey shares a report from SecurityWeek: Security vendor InkBridge Networks on Tuesday called urgent attention to the discovery of a thirty-year-old design flaw in the RADIUS protocol and warned that advanced attackers can launch exploits to authenticate anyone to a local network, bypassing any multi-factor-authentication (MFA) protections. The company published a technical description of what is being called the BlastRADIUS attack and warned that corporate networks such as internal enterprise networks, ISPs, and telcos are exposed to major risk. The vulnerability is being tracked as CVE-2024-3596 and VU#456537. "The root cause of the attack is that in the RADIUS protocol, some Access-Request packets are not authenticated and lack integrity checks. An attacker can modify these packets in a way which allows them to control who gets onto the network," the research team explained (PDF).

The RADIUS protocol, first standardized in the late 1990s, is used to control network access via authentication, authorization, and accounting and is still used widely today in switches, routers, access points and VPN products. "All of those devices are likely vulnerable to this attack," the researchers warned. "The key to the attack is that in many cases, Access-Request packets have no authentication or integrity checks. An attacker can then perform a chosen prefix attack, which allows modifying the Access-Request in order to replace a valid response with one chosen by the attacker. Even though the response is authenticated and integrity checked, the chosen prefix vulnerability allows the attacker to modify the response packet, almost at will," according to the InkBridge Networks documentation. The researchers say that every single RADIUS server must be upgraded in order to protect against this vulnerability. "It is not sufficient to upgrade only RADIUS clients, as doing so will allow the network to remain vulnerable."

Australia's government cybersecurity agency on Tuesday accused a China-backed hacker group of stealing passwords and usernames from two unnamed Australian networks in 2022, adding that the group remained a threat. From a report: A joint report led by the Australian Cyber Security Centre said the hackers, named APT40, had conducted malicious cyber operations for China's Ministry of State Security, the main agency overlooking foreign intelligence. "The activity and techniques overlap with the groups tracked as Advanced Persistent Threat (APT) 40," said the report, which included inputs from lead cyber security agencies for the United States, Britain, Canada, New Zealand, Japan, South Korea and Germany. U.S. and British officials in March had accused Beijing of a sweeping cyberespionage campaign that allegedly hit millions of people including lawmakers, academics and journalists, and companies including defense contractors. They said China-backed "APT31" was responsible for the network intrusion.

An anonymous reader quotes a report from Fortune: On February 1st last year, Montana residents gawked upwards at a large white object hovering in the sky that looked to be another moon. The airborne object was in fact a Chinese spy balloon loaded with cameras, sensors, and other high-tech surveillance equipment, and it set off a nationwide panic as it drifted across the midwestern and southern United States. How much information the balloon gathered -- if any -- remains unknown, but the threat was deemed serious enough that an F-22 U.S. Air Force jet fired a Sidewinder missile at the unmanned balloon on a February afternoon, blasting it to pieces a few miles off the coast of South Carolina. At the same time that the eyes of Americans were fixed on the Chinese intruder in the sky, around 30 cars owned by Chinese companies and equipped with cameras and geospatial mapping technology were navigating the streets of greater Los Angeles, San Francisco, and San Jose. They collected detailed videos, audio recordings, and location data on their surroundings to chart out California's roads and develop their autonomous driving algorithms.

Since 2017, self-driving cars owned by Chinese companies have traversed 1.8 million miles of California alone, according to a Fortune analysis of the state's Department of Motor Vehicles data. As part of their basic functionality, these cars capture video of their surroundings and map the state's roads to within two centimeters of precision. Companies transfer that information from the cars to data centers, where they use it to train their self-driving systems. The cars are part of a state program that allows companies developing self-driving technology -- including Google-spinoff Waymo and Amazon-owned Zoox -- to test autonomous vehicles on public roads. Among the 35 companies approved to test by the California DMV, seven are wholly or partly China-based. Five of them drove on California roads last year: WeRide, Apollo, AutoX, Pony.ai, and DiDi Research America. Some Chinese companies are approved to test in Arizona and Texas as well.

Fitted with cameras, microphones, and sophisticated sensors, self-driving cars have long raised flags among privacy advocates. Matthew Guariglia, a policy analyst at the digital rights nonprofit Electronic Frontier Foundation, called self-driving cars "rolling surveillance devices" that passively collect massive amounts of information on Americans in plain sight. In the context of national security however, the data-hungry Chinese cars have received surprisingly little scrutiny. Some experts have compared them to Chinese-owned social media site TikTok, which has been subjected to a forced divestiture or ban on U.S. soil due to fears around its data collection practices threatening national security. The years-long condemnation of TikTok at the highest levels of the U.S. government has heightened the sense of distrust between the U.S. and China.

Some Chinese self-driving car companies appear to store U.S. data in China, according to privacy policies reviewed byFortune -- a situation that experts said effectively leaves the data accessible to the Chinese government. Depending on the type of information collected by the cars, the level of precision, and the frequency at which it's collected, the data could provide a foreign adversary with a treasure trove of intelligence that could be used for everything from mass surveillance to war planning, according to security experts who spoke withFortune. And yet, despite the sensitivity of the data, officials at the state and federal agencies overseeing the self-driving car testing acknowledge that they do not currently monitor, or have any process for checking, exactly what data the Chinese vehicles are collecting and what happens to the data after it is collected. Nor do they have any additional rules or policies in place for oversight of Chinese self-driving cars versus the cars in the program operated by American or European companies. "It is literally the wild, Wild West here," said Craig Singleton, director of the China program at the Foundation for Defense of Democracies, a conservative-leaning national security think tank. "There's no one in charge."

Andy Maxwell reports via TorrentFreak: On November 4, 2022, the United States Department of Justice and the FBI began seizing Z-Library's domains as part of a major operation to shut down the infamous 'shadow library' platform. A criminal investigation had identified two Russian nationals, Anton Napolsky and Valeriia Ermakova, as the alleged operators of the site. On October 21, 2022, at the U.S. District Court for the Eastern District of New York, Judge Sanket J. Bulsara ordered their arrest. They were detained in Argentina on November 3, 2022. After arriving at the Ambrosio Taravella International Airport, the unsuspecting couple cleared customs and hired a car from a popular rental company. The United States Embassy informed local authorities that the pair were subject to an Interpol Red Notice.

At what point the Russians' phones were tapped is unclear but, under the authority of a Federal Court arrest warrant, Argentinian law enforcement began tracking the couple's movements as they traveled south in their rented Toyota Corolla. [...] [F]ollowing a visit to El Calafate, the pair were arrested by airport security police as they arrived in Rio Gallegos, Santa Cruz. They were later transferred to Cordoba. In January 2023, Judge Miguel Hugo Vaca Narvaja authorized the Russians to be detained under house arrest. Approval from Cordoba prosecutor Maximiliano Hairabedian, who was responsible for the request to extradite Napolsky and Ermakova to the United States, was not obtained. With a federal indictment, alleging criminal copyright infringement, wire fraud, and money laundering offenses, waiting for them in the United States, the priority for Napolsky and Ermakova would soon be their fight against extradition. [...]

Patronato del Liberado (Patronage of the Liberated) is responsible for assisting people who have previously been detained by the authorities with family and social reintegration. It's also tasked with monitoring compliance of those on probation or subject to house arrest. According to unnamed 'judicial sources' cited by La Voz, which receives full credit for a remarkable scoop, when the group conducted a regular visit in May, to verify that Napolsky and Ermakova were in compliance with the rules set by the state, there was no trace of them. Patronato del Liberado raised the alarm and Judge Sanchez Freytes was immediately notified. Counsel for the defense during the extradition hearings said that he hadn't been able to contact the Russians either. The Judge ordered an international arrest warrant although there appeared to be at least some hope the pair hadn't left the country. However, that was many weeks ago and with no obvious news suggesting their recapture, the pair could be anywhere by now.

Google plans to support its own long-term support (LTS) kernel releases for Android devices for four years, a move aimed at bolstering the security of the mobile operating system. This decision, reported by AndroidAuthority, comes in response to the Linux community's recent reduction of LTS support from six years to two years, a change that posed potential challenges for Android's security ecosystem.

The Android Common Kernel (ACK) branches, derived from upstream Linux LTS releases, form the basis of most Android devices' kernels. Google maintains these forks to incorporate Android-specific features and backport critical functionality. Regular updates to these kernels address vulnerabilities disclosed in monthly Android Security Bulletins. While the extended support period benefits Android users and manufacturers, it places significant demands on Linux kernel developers.

NATO is helping finance a project aimed at finding ways to keep the internet running should subsea cables shuttling civilian and military communications across European waters come under attack. From a report: Researchers, who include academics from the US, Iceland, Sweden and Switzerland, say they want to develop a way to seamlessly reroute internet traffic from subsea cables to satellite systems in the event of sabotage, or a natural disaster. The North Atlantic Treaty Organization's Science for Peace and Security Programme has approved a grant of as much as $433,600 for the $2.5 million project, and research institutions are providing in-kind contributions, documents seen by Bloomberg show.

Eyup Kuntay Turmus, adviser and program manager at the NATO program, confirmed the project was recently approved and said by email that implementation will start "very soon." The initiative, which hasn't yet been publicly announced, comes amid intensifying fears that Russia or China could mine, sever or otherwise tamper with undersea cables in an attempt to disrupt communications during a military crisis. Data carried through cables under the sea account for roughly $10 trillion worth of financial transactions every day, and nearly all of the NATO's internet traffic travels through them, according to the treaty organization. As a result, NATO has been ramping up efforts to protect cables over the course of the past several months.

An anonymous reader shares a report: Cybernews researchers discovered what appears to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords. The file with the data, titled rockyou2024.txt, was posted on July 4th by forum user ObamaCare. While the user registered in late May 2024, they have previously shared an employee database from the law firm Simmons & Simmons, a lead from an online casino AskGamblers, and student applications for Rowan College at Burlington County.

The team cross-referenced the passwords included in the RockYou2024 leak with data from Cybernews' Leaked Password Checker, which revealed that these passwords came from a mix of old and new data breaches. "In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks," researchers said.

"After sixteen years since the introduction of Python 3, the Fedora project announces that Python 2.7, the last of the Python 2 series, will be retired," according to long-time Slashdot reader slack_justyb.

From the announcement on the Fedora changes page: The python2.7 package will be retired without replacement from Fedora Linux 41. There will be no Python 2 in Fedora 41+ other than PyPy. Packages requiring python2.7 on runtime or buildtime will have to deal with the retirement or be retired as well.
"This also comes with the announcement that GIMP 3 will be coming to Fedora 41 to remove any last Python 2 dependencies," adds slack_justyb. GIMP 2 was originally released on March 23, 2004. GIMP will be updated to GIMP 3 with Python 3 support. Python 2 dependencies of GIMP will be retired.
Python 2's end of life was originally 2015, but was extended to 2020. The Python maintainers close with this: The Python maintainers will no longer regularly backport security fixes to Python 2.7 in RHEL, due to the the end of maintenance of RHEL 7 and the retirement of the Python 2.7 application stream in RHEL 8. We provided this obsolete package for 5 years beyond its retirement date and will continue to provide it until Fedora 40 goes end of life. Enough has been enough.

Monday Boeing announced plans to acquire its key supplier, Spirit AeroSystems, for $4.7 billion, according to the Associated Press — "a move that it says will improve plane quality and safety amid increasing scrutiny by Congress, airlines and the Department of Justice. Boeing previously owned Spirit, and the purchase would reverse a longtime Boeing strategy of outsourcing key work on its passenger planes."

But meanwhile, an anonymous reader shared this report from Newsweek: More than a hundred Boeing whistleblowers have contacted the U.S. aviation watchdog since the start of the year, Newsweek can reveal. Official figures show that the Federal Aviation Administration's (FAA) whistleblowing hotline has seen a huge surge of calls from workers concerned about safety problems. Since January the watchdog saw a total of 126 reports, via various channels, from workers concerned about safety problems. In 2023, there were just 11....

After a visit from FAA Administrator Mike Whitaker to a Boeing factory earlier in the year, Boeing CEO Dave Calhoun agreed to share details of the hotline with all Boeing employees. The FAA told Newsweek that the number of Boeing employees coming forward was a "sign of a healthy culture".... Newsweek also spoke to Jon Holden, president of the 751 District for the International Association of Machinists, Boeing's largest union which represents more than 32,000 aerospace workers. Holden said that numerous whistleblowers had complained to the FAA over Boeing's attempt to cut staff and reduce inspections in an effort to "speed up the rate" at which planes went out the door...

Holden's union is currently in contract negotiations with Boeing, and is attempting to secure a 40% pay rise alongside a 50-year guarantee of work security for its members.
CNN also reports on new allegations Wednesday from a former Boeing quality-control manager: that "for years workers at its 787 Dreamliner factory in Everett, Washington, routinely took parts that were deemed unsuitable to fly out of an internal scrap yard and put them back on factory assembly lines." In his first network TV interview, Merle Meyers, a 30-year veteran of Boeing, described to CNN what he says was an elaborate off-the-books practice that Boeing managers at the Everett factory used to meet production deadlines, including taking damaged and improper parts from the company's scrapyard, storehouses and loading docks... Meyers' claims that lapses he witnessed were intentional, organized efforts designed to thwart quality control processes in an effort to keep up with demanding production schedules. Beginning in the early 2000s, Meyers says that for more than a decade, he estimates that about 50,000 parts "escaped" quality control and were used to build aircraft. Those parts include everything from small items like screws to more complex assemblies like wing flaps. A single Boeing 787 Dreamliner, for example, has approximately 2.3 million parts...

Based on conversations Meyers says he had with current Boeing workers in the time since he left the company, he believes that while employees no longer remove parts from the scrapyard, the practice of using other unapproved parts in assembly lines continues. "Now they're back to taking parts of body sections — everything — right when it arrives at the Everett site, bypassing quality, going right to the airplane," Meyers said.

Company emails going back years show that Meyers repeatedly flagged the issue to Boeing's corporate investigations team, pointing out what he says were blatant violations of Boeing's safety rules. But investigators routinely failed to enforce those rules, Meyers says, even ignoring "eye witness observations and the hard work done to ensure the safety of future passengers and crew," he wrote in an internal 2022 email provided to CNN.

IEEE Spectrum (the IEEE's official publication) asks the question. "How does an AI code generator compare to a human programmer?" A study published in the June issue of IEEE Transactions on Software Engineering evaluated the code produced by OpenAI's ChatGPT in terms of functionality, complexity and security. The results show that ChatGPT has an extremely broad range of success when it comes to producing functional code — with a success rate ranging from anywhere as poor as 0.66 percent and as good as 89 percent — depending on the difficulty of the task, the programming language, and a number of other factors. While in some cases the AI generator could produce better code than humans, the analysis also reveals some security concerns with AI-generated code.
The study tested GPT-3.5 on 728 coding problems from the LeetCode testing platform — and in five programming languages: C, C++, Java, JavaScript, and Python. The results? Overall, ChatGPT was fairly good at solving problems in the different coding languages — but especially when attempting to solve coding problems that existed on LeetCode before 2021. For instance, it was able to produce functional code for easy, medium, and hard problems with success rates of about 89, 71, and 40 percent, respectively. "However, when it comes to the algorithm problems after 2021, ChatGPT's ability to generate functionally correct code is affected. It sometimes fails to understand the meaning of questions, even for easy level problems," said Yutian Tang, a lecturer at the University of Glasgow. For example, ChatGPT's ability to produce functional code for "easy" coding problems dropped from 89 percent to 52 percent after 2021. And its ability to generate functional code for "hard" problems dropped from 40 percent to 0.66 percent after this time as well...

The researchers also explored the ability of ChatGPT to fix its own coding errors after receiving feedback from LeetCode. They randomly selected 50 coding scenarios where ChatGPT initially generated incorrect coding, either because it didn't understand the content or problem at hand. While ChatGPT was good at fixing compiling errors, it generally was not good at correcting its own mistakes... The researchers also found that ChatGPT-generated code did have a fair amount of vulnerabilities, such as a missing null test, but many of these were easily fixable.
"Interestingly, ChatGPT is able to generate code with smaller runtime and memory overheads than at least 50 percent of human solutions to the same LeetCode problems..."

Windows Recall was "delayed" over concerns that storing unencrypted recordings of users' activity was a security risk.

But now Slashdot reader storagedude writes: The latest version of Microsoft's planned Windows Recall feature still contains data privacy and security vulnerabilities, according to a report by the Cyber Express.

Security researcher Kevin Beaumont — whose work started the backlash that resulted in Recall getting delayed last month — said the most recent preview version is still hackable by Alex Hagenah's "TotalRecall" method "with the smallest of tweaks."

The Windows screen recording feature could as yet be refined to fix security concerns, but some have spotted it recently in some versions of the Windows 11 24H2 release preview that will be officially released in the fall.
Cyber Express (the blog of threat intelligence vendor Cyble Inc) got this official response: Asked for comment on Beaumont's findings, a Microsoft spokesperson said the company "has not officially released Recall," and referred to the updated blog post that announced the delay, which said: "Recall will now shift from a preview experience broadly available for Copilot+ PCs on June 18, 2024, to a preview available first in the Windows Insider Program (WIP) in the coming weeks."

"Beyond that, Microsoft has nothing more to share," the spokesperson added.
Also this week, the blog Android Authority wrote that Google is planning to introduce its own "Google AI" features to Pixel 9 smartphones. They include the ability to enhance screenshots, an "Add Me" tool for group photos — and also "a feature resembling Microsoft's controversial Recall" dubbed "Pixel Screenshots." Google's take on the feature is different and more privacy-focused: instead of automatically capturing everything you're doing, it will only work on screenshots you take yourself. When you do that, the app will add a bit of extra metadata to it, like app names, web links, etc. After that, it will be processed by a local AI, presumably the new multimodal version of Gemini Nano, which will let you search for specific screenshots just by their contents, as well as ask a bot questions about them.

My take on the feature is that it's definitely a better implementation of the idea than what Microsoft created.. [B]oth of the apps ultimately serve a similar purpose and Google's implementation doesn't easily leak sensitive information...

It's worth mentioning Motorola is also working on its own version of Recall — not much is known at the moment, but it seems it will be similar to Google's implementation, with no automatic saving of everything on the screen.
The Verge describes the Pixel 9's Google AI as "like Microsoft Recall but a little less creepy."

An anonymous reader quotes a report from The Register: The latest figures suggest that around 1,500 medical procedures have been canceled across some of London's biggest hospitals in the four weeks since Qilin's ransomware attack hit pathology services provider Synnovis. But perhaps no single person was affected as severely as Johanna Groothuizen. Hanna -- the name she goes by -- is now missing her right breast after her skin-sparing mastectomy and immediate breast reconstruction surgery was swapped out for a simple mastectomy at the last minute. The 36-year-old research culture manager at King's College London and former researcher in health sciences was diagnosed with HER2-positive breast cancer in late 2023. It's an aggressive form known for spreading faster and is more commonly recurring, which necessitates urgent treatment. Hanna soon began a course of chemotherapy following her diagnosis until she was able to have what will hopefully be the first and only major procedure to remove the disease. Between then and the operation, which was scheduled for June 7 -- four days after the ransomware attack was carried out -- she had been told repeatedly that the planned procedure was a skin-sparing mastectomy which would have allowed surgeons to cosmetically reconstruct her right breast immediately after the operation.

How the ordeal actually unraveled, however, was an entirely different story. Hanna was given less than 24 hours by doctors to make the daunting decision to either accept a simple mastectomy or delay a life-changing procedure until Synnovis's systems were back online. The decision was thrust upon her on the Thursday afternoon before her Friday surgery. This was after she was forced to chase the medical staff for updates about whether the procedure was going ahead at all. Hanna was told on the Tuesday of that week, the day after Qilin's attack, that despite everything going on, the staff at St Thomas' hospital in London were still planning to go ahead with the skin-sparing mastectomy as previously agreed. Per the updates Hanna requested on Thursday, it was strongly suggested that the operation was going to be canceled. The hospital deemed the reconstruction part of the procedure too risky because Synnovis was unable to support blood transfusions until its systems were back online.

The ransomware attack wasn't easy on hospitals. The situation was so dire that blood reserves were running low just a week after the attack, prompting an urgent appeal for O-type blood donations. For Hanna, though, this meant she had to make the unimaginably difficult choice between the surgery she wanted, or the surgery that would give her the best chance at survival. The mother of two young children, aged four and two, felt like she had no other choice but to accept the simple mastectomy, leaving her with only one breast. [...] At the time of writing, it's now nearly five weeks since Qilin's attack on Synnovis -- a pathology services partnership between Synlab, Guy's and St Thomas' NHS Foundation Trust, and King's College Hospital NHS Foundation Trust. The most recent update provided by the NHS said disruption to services was still evident across the region, although some services such as outpatient appointments are returning to near-normal levels. Between June 24-30, there were 1,517 cute outpatient appointments and 136 electric procedures that needed to be postponed across the two NHS trusts partnered with Synlab. "The total number of postponements for the entire month since the attack took hold (June 3-30) stand at 4,913 for acute outpatient appointments and 1,391 for elective procedures," notes the report.

Longtime Slashdot reader Artem S. Tashkinov shares a report from The Hacker News: A group of security researchers from the Graz University of Technology have demonstrated a new side-channel attack known as SnailLoad that could be used to remotely infer a user's web activity. "SnailLoad exploits a bottleneck present on all Internet connections," the researchers said in a study released this week. "This bottleneck influences the latency of network packets, allowing an attacker to infer the current network activity on someone else's Internet connection. An attacker can use this information to infer websites a user visits or videos a user watches." A defining characteristic of the approach is that it obviates the need for carrying out an adversary-in-the-middle (AitM) attack or being in physical proximity to the Wi-Fi connection to sniff network traffic. Specifically, it entails tricking a target into loading a harmless asset (e.g., a file, an image, or an ad) from a threat actor-controlled server, which then exploits the victim's network latency as a side channel to determine online activities on the victim system.

To perform such a fingerprinting attack and glean what video or a website a user might be watching or visiting, the attacker conducts a series of latency measurements of the victim's network connection as the content is being downloaded from the server while they are browsing or viewing. It then involves a post-processing phase that employs a convolutional neural network (CNN) trained with traces from an identical network setup to make the inference with an accuracy of up to 98% for videos and 63% for websites. In other words, due to the network bottleneck on the victim's side, the adversary can deduce the transmitted amount of data by measuring the packet round trip time (RTT). The RTT traces are unique per video and can be used to classify the video watched by the victim. The attack is so named because the attacking server transmits the file at a snail's pace in order to monitor the connection latency over an extended period of time.