Airbnb will no longer allow hosts to use indoor security cameras, regardless of where they're placed or what they're used for. In an update on Monday, Airbnb says the change to "prioritize the privacy" of renters goes into effect on April 30th. From a report: The vacation rental app previously let hosts install security cameras in "common areas" of listings, including hallways, living rooms, and front doors. Airbnb required hosts to disclose the presence of security cameras in their listings and make them clearly visible, and it prohibited hosts from using cameras in bedrooms and bathrooms.

But now, hosts can't use indoor security cameras at all. The change comes after numerous reports of guests finding hidden cameras within their rental, leading some vacation-goers to scan their rooms for cameras. Airbnb's new policy also introduces new rules for outdoor security cameras, and will now require hosts to disclose their use and locations before guests book a listing. Hosts can't use outdoor cams to keep tabs on indoor spaces, either, nor can they use them in "certain outdoor areas where there's a great expectation of privacy," such as an outdoor shower or sauna.

CNN's national security analyst interviewed a U.S. intelligence officer who worked on the newly-released Defense report debunking UFO sightings — physicist Sean Kirkpatrick. He tells CNN "about two to five percent" of UFO reports are "truly anomalous."

But CNN adds that "he thinks explanations for that small percentage will most likely be found right here on Earth..." This is how Kirkpatrick and his team explain the Roswell incident, which plays a prominent role in UFO lore. That's because, in 1947, a U.S. military news release stated that a flying saucer had crashed near Roswell Army Air Field in New Mexico. A day later, the Army retracted the story and said the crashed object was a weather balloon. Newspapers ran the initial saucer headline, followed up with the official debunking, and interest in the case largely died down. Until 1980, that is, when a pair of UFO researchers published a book alleging that alien bodies had been recovered from the Roswell wreckage and that the U.S. government had covered up the evidence.

Kirkpatrick says his office dug deep into the Roswell incident and found that in the late 1940s and early 1950s, there were a lot of things happening near the Roswell Airfield. There was a spy program called Project Mogul, which launched long strings of oddly shaped metallic balloons. They were designed to monitor Soviet nuclear tests and were highly secret. At the same time, the U.S. military was conducting tests with other high-altitude balloons that carried human test dummies rigged with sensors and zipped into body-sized bags for protection against the elements. And there was at least one military plane crash nearby with 11 fatalities.

Echoing earlier government investigations, Kirkpatrick and his team concluded that the crashed Mogul balloons, the recovery operations to retrieve downed test dummies and glimpses of the charred aftermath of that real plane crash likely combined into a single false narrative about a crashed alien spacecraft...

Since 2020, the Pentagon has standardized, de-stigmatized and increased the volume of reporting on UFOs by the U.S. military. Kirkpatrick says that's the reason the closely covered and widely-mocked Chinese spy balloon was spotted in the first place last year. The incident shows that the U.S. government's policy of taking UFOs seriously is actually working.
The pattern keeps repeating. "Kirkpatrick says, his investigation found that most UFO sightings are of advanced technology that the U.S. government needs to keep secret, of aircraft that rival nations are using to spy on the U.S. or of benign civilian drones and balloons." ("What's more likely?" asked Kirkpatrick. "The fact that there is a state-of-the-art technology that's being commercialized down in Florida that you didn't know about, or we have extraterrestrials?")

But the greatest irony may be that "stories about these secret programs spread inside the Pentagon, got embellished and received the occasional boost from service members who'd heard rumors about or caught glimpses of seemingly sci-fi technology or aircraft. And Kirkpatrick says his investigators ultimately traced this game of top-secret telephone back to fewer than a dozen people... [F]or decades, UFO true believers have been telling us there's a U.S. government conspiracy to hide evidence of aliens. But — if you believe Kirkpatrick — the more mundane truth is that these stories are being pumped up by a group of UFO true believers in and around government."

Researchers at Cado Security Labs received an alert about a honeypot using the Docker Engine API. "A Docker command was received..." they write, "that spawned a new container, based on Alpine Linux, and created a bind mount for the underlying honeypot server's root directory..." Typically, this is exploited to write out a job for the Cron scheduler to execute... In this particular campaign, the attacker exploits this exact method to write out an executable at the path /usr/bin/vurl, along with registering a Cron job to decode some base64-encoded shell commands and execute them on the fly by piping through bash.

The vurl executable consists solely of a simple shell script function, used to establish a TCP connection with the attacker's Command and Control (C2) infrastructure via the /dev/tcp device file. The Cron jobs mentioned above then utilise the vurl executable to retrieve the first stage payload from the C2 server... To provide redundancy in the event that the vurl payload retrieval method fails, the attackers write out an additional Cron job that attempts to use Python and the urllib2 library to retrieve another payload named t.sh
"Multiple user mode rootkits are deployed to hide malicious processes," they note. And one of the shell scripts "makes use of the shopt (shell options) built-in to prevent additional shell commands from the attacker's session from being appended to the history file... Not only are additional commands prevented from being written to the history file, but the shopt command itself doesn't appear in the shell history once a new session has been spawned."

The same script also inserts "an attacker-controlled SSH key to maintain access to the compromised host," according to the article, retrieves a miner for the Monero cryptocurrency and then "registers persistence in the form of systemd services" for both the miner and an open source Golang reverse shell utility named Platypus.

It also delivers "various utilities," according to the blog Security Week, "including 'masscan' for host discovery." Citing CADO's researchers, they write that the shell script also "weakens the machine by disabling SELinux and other functions and by uninstalling monitoring agents." The Golang payloads deployed in these attacks allow attackers to search for Docker images from the Ubuntu or Alpine repositories and delete them, and identify and exploit misconfigured or vulnerable Hadoop, Confluence, Docker, and Redis instances exposed to the internet... ["For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host," the researchers writes.]

"This extensive attack demonstrates the variety in initial access techniques available to cloud and Linux malware developers," Cado notes. "It's clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments."

An anonymous reader shared this report from the Guardian: The U.S. is not secretly hiding alien technology or extraterrestrial beings from the public, according to a defense department report.

On Friday, the Pentagon 'published the findings of an investigation conducted by the All-Domain Anomaly Resolution Office (AARO), a government office established in 2022 to detect and, as necessary, mitigate threats including "anomalous, unidentified space, airborne, submerged and transmedium objects"....

AARO investigators, which were "granted full access to all pertinent sensitive [U.S. government] programs", reviewed all official government investigatory efforts since 1945. Investigators also researched classified and unclassified archives, conducted approximately 30 interviews, and collaborated with intelligence community and defense department officials responsible for controlled and special access program oversight, the report revealed.
NPR writes that "Many of the sightings turned out to be drones, weather balloons, spy planes, satellites, rockets and planets, according to the report..." "AARO has found no evidence that any U.S. government investigation, academic-sponsored research, or official review panel has confirmed that any sighting of a UAP represented extraterrestrial technology," Pentagon Press Secretary Maj. Gen. Pat Ryder said in a statement Friday. All investigative efforts concluded that most sightings were ordinary objects and the result of misidentification, Ryder said... The office plans to publish a second volume of the report later this year that covers findings from interviews and research done between November 2023 and April 2024."
The report finds no evidence of any confirmed alien technology, the Guardian notes: It added that sensors and visual observations are imperfect, the vast majority of cases lack actionable data and such available data is limited or of poor quality. The report also said resources and staffing for such programs have largely been irregular and sporadic and that the vast majority of reports "almost certainly" are the result of misidentification. In addition, the report found "no empirical evidence for claims that the [U.S. government] and private companies have been reverse-engineering extraterrestrial technology"...

The report's public release comes as AARO's acting director, Timothy Phillips, told reporters on Wednesday that the US military is developing a UFO sensor and detection system called Gremlin. "If we have a national security site and there are objects being reported that [are] within restricted airspace or within a maritime range or within the proximity of one of our spaceships, we need to understand what that is ... and so that's why we're developing sensor capability that we can deploy in reaction to reports," Phillips said, CNN reports.

"A 20-year-old Trojan resurfaced recently," reports Dark Reading, "with new variants that target Linux and impersonate a trusted hosted domain to evade detection." Researchers from Palo Alto Networks spotted a new Linux variant of the Bifrost (aka Bifrose) malware that uses a deceptive practice known as typosquatting to mimic a legitimate VMware domain, which allows the malware to fly under the radar. Bifrost is a remote access Trojan (RAT) that's been active since 2004 and gathers sensitive information, such as hostname and IP address, from a compromised system.

There has been a worrying spike in Bifrost Linux variants during the past few months: Palo Alto Networks has detected more than 100 instances of Bifrost samples, which "raises concerns among security experts and organizations," researchers Anmol Murya and Siddharth Sharma wrote in the company's newly published findings.

Moreover, there is evidence that cyberattackers aim to expand Bifrost's attack surface even further, using a malicious IP address associated with a Linux variant hosting an ARM version of Bifrost as well, they said... "As ARM-based devices become more common, cybercriminals will likely change their tactics to include ARM-based malware, making their attacks stronger and able to reach more targets."

"2004 was already an eventful year for Linux," writes ZDNet's Jack Wallen. "As I reported at the time, SCO was trying to drive Linux out of business. Red Hat was abandoning Linux end-user fans for enterprise customers by closing down Red Hat Linux 9 and launching the business-friendly Red Hat Enterprise Linux (RHEL). Oh, and South African tech millionaire and astronaut Mark Shuttleworth [also a Debian Linux developer] launched Canonical, Ubuntu Linux's parent company.

"Little did I — or anyone else — suspect that Canonical would become one of the world's major Linux companies."

Mark Shuttleworth answered questions from Slashdot reader in 2005 and again in 2012. And this year, Canonical celebrates its 20th anniversary. ZDNet reports: Canonical's purpose, from the beginning, was to support and share free software and open-source software... Then, as now, Ubuntu was based on Debian Linux. Unlike Debian, which never met a delivery deadline it couldn't miss, Ubuntu was set to be updated to the latest desktop, kernel, and infrastructure with a new release every six months. Canonical has kept to that cadence — except for the Ubuntu 6.06 release — for 20 years now...

Released in October 2004, Ubuntu Linux quickly became synonymous with ease of use, stability, and security, bridging the gap between the power of Linux and the usability demanded by end users. The early years of Canonical were marked by rapid innovation and community building. The Ubuntu community, a vibrant and passionate group of developers and users, became the heart and soul of the project. Forums, wikis, and IRC channels buzzed with activity as people from all over the world came together to contribute code, report bugs, write documentation, and support each other....

Canonical's influence extends beyond the desktop. Ubuntu Linux, for example, is the number one cloud operating system. Ubuntu started as a community desktop distribution, but it's become a major enterprise Linux power [also widely use as a server and Internet of Things operating system.]
The article notes Canonical's 2011 creation of the Unity desktop. ("While Ubuntu Unity still lives on — open-source projects have nine lives — it's now a sideline. Ubuntu renewed its commitment to the GNOME desktop...")

But the article also argues that "2016, on the other hand, saw the emergence of Ubuntu Snap, a containerized way to install software, which --along with its rival Red Hat's Flatpak — is helping Linux gain some desktop popularity."

" A federal agency in charge of cybersecurity discovered it was hacked last month..." reports CNN.

Last month the U.S. Department of Homeland Security experienced a breach at its Cybersecurity and Infrastructure Security Agency, reports the Record, "through vulnerabilities in Ivanti products, officials said..."

"The impact was limited to two systems, which we immediately took offline," the spokesperson said. We continue to upgrade and modernize our systems, and there is no operational impact at this time."

"This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience." CISA declined to answer a range of questions about who was behind the incident, whether data had been accessed or stolen and what systems were taken offline.

Ivanti makes software that organizations use to manage IT, including security and system access. A source with knowledge of the situation told Recorded Future News that the two systems compromised were the Infrastructure Protection (IP) Gateway, which houses critical information about the interdependency of U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which houses private sector chemical security plans. CISA declined to confirm or deny whether these are the systems that were taken offline. CSAT houses some of the country's most sensitive industrial information, including the Top Screen tool for high-risk chemical facilities, Site Security Plans and the Security Vulnerability Assessments.

CISA said organizations should review an advisory the agency released on February 29 warning that threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways including CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893.
"Last week, several of the world's leading cybersecurity agencies revealed that hackers had discovered a way around a tool Ivanti released to help organizations check if they had been compromised," the article points out.

The statement last week from CISA said the agency "has conducted independent research in a lab environment validating that the Ivanti Integrity Checker Tool is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets."

UPDATE: The two systems run on older technology that was already set to be replaced, sources told CNN..." While there is some irony in it, even cybersecurity agencies or officials can be victims of hacking. After all, they rely on the same technology that others do. The US' top cybersecurity diplomat Nate Fick said last year that his personal account on social media platform X was hacked, calling it part of the "perils of the job."

As reported by The Information (paywalled), OpenAI CEO Sam Altman will return to the company's board along with three new directors. Reuters reports: The company has also concluded the investigation around Altman's November firing, the Information said, referring to the ouster that briefly threw the world's most prominent artificial intelligence company into chaos. Employees, investors and OpenAI's biggest financial backer, Microsoft had expressed shock over Altman's ouster, which was reversed within days. The company will also announce the appointment of three new directors, Sue Desmond-Hellmann, a former CEO of the Bill and Melinda Gates Foundation, Nicole Seligman, a former president of Sony Entertainment, and Fidji Simo, CEO of Instacart, the Information said. "I'm pleased this whole thing is over," Altman said.

"We are excited and unanimous in our support for Sam and Greg [Brockman]," OpenAI chair and former Salesforce executive Bret Taylor told reporters. Taylor said they also adopted "a number of governance enhancements," such as a whistleblower hotline and a new mission and strategy committee on the board. "The mission has not changed, because it is more important than ever before," added Taylor.

An independent investigation by the law firm WilmerHale determined that "the prior Board acted within its broad discretion to terminate Mr. Altman, but also found that his conduct did not mandate removal." The summary, provided by OpenAI, continued: "The prior Board believed at the time that its actions would mitigate internal management challenges and did not anticipate that its actions would destabilize the Company. The prior Board's decision did not arise out of concerns regarding product safety or security, the pace of development, OpenAI's finances, or its statements to investors, customers, or business partners. Instead, it was a consequence of a breakdown in the relationship and loss of trust between the prior Board and Mr. Altman."

Microsoft revealed earlier this year that Russian state-sponsored hackers had been spying on the email accounts of some members of its senior leadership team. Now, Microsoft is disclosing that the attack, from the same group behind the SolarWinds attack, has also led to some source code being stolen in what Microsoft describes as an ongoing attack. From a report: "In recent weeks, we have seen evidence that Midnight Blizzard [Nobelium] is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access," explains Microsoft in a blog post. "This has included access to some of the company's source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised."

It's not clear what source code was accessed, but Microsoft warns that the Nobelium group, or "Midnight Blizzard," as Microsoft refers to them, is now attempting to use "secrets of different types it has found" to try to further breach the software giant and potentially its customers. "Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures," says Microsoft.

An anonymous reader quotes a report from MacRumors: Apple today released visionOS 1.1, marking the first major update to the visionOS operating system that was launched alongside the Vision Pro in February. visionOS updates can be installed by going to the Settings app on the Vision Pro, selecting the General section, and choosing Software Update. The Vision Pro headset will need to be removed to install new software, with a progress bar available on the front EyeSight display.

Apple is making several improvements to the Vision Pro with the visionOS update. Mobile Device Management is available for businesses, and Persona and EyeSight look better than before. The virtual keyboard has been updated to address bugs and make cursor positioning more accurate, and there are also bug fixes for the Mac Virtual Display. Here's a summary of visionOS 1.1 from the release notes: "This update introduces MDM features that enable deployment, device configuration, and management for enterprises. This release also includes Persona improvements, the ability to delete system apps from the Home View, as well as other features, bug fixes, and security updates for your Apple Vision Pro."

Researchers have developed a way to circumvent safety measures built into large language models (LLMs) using ASCII Art, a graphic design technique that involves arranging characters like letters, numbers, and punctuation marks to form recognizable patterns or images. Tom's Hardware reports: According to the research paper ArtPrompt: ASCII Art-based Jailbreak Attacks against Aligned LLMs, chatbots such as GPT-3.5, GPT-4, Gemini, Claude, and Llama2 can be induced to respond to queries they are designed to reject using ASCII art prompts generated by their ArtPrompt tool. It is a simple and effective attack, and the paper provides examples of the ArtPrompt-induced chatbots advising on how to build bombs and make counterfeit money. [...]

To best understand ArtPrompt and how it works, it is probably simplest to check out the two examples provided by the research team behind the tool. In Figure 1 [here], you can see that ArtPrompt easily sidesteps the protections of contemporary LLMs. The tool replaces the 'safety word' with an ASCII art representation of the word to form a new prompt. The LLM recognizes the ArtPrompt prompt output but sees no issue in responding, as the prompt doesn't trigger any ethical or safety safeguards.

Another example provided [here] shows us how to successfully query an LLM about counterfeiting cash. Tricking a chatbot this way seems so basic, but the ArtPrompt developers assert how their tool fools today's LLMs "effectively and efficiently." Moreover, they claim it "outperforms all [other] attacks on average" and remains a practical, viable attack for multimodal language models for now.

An anonymous reader quotes a report from BleepingComputer: FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report (PDF), which recorded a 22% increase in reported losses compared to 2022, amounting to a record of $12.5 billion. The number of relevant complaints submitted to the FBI in 2023 reached 880,000, 10% higher than the previous year, with the age group topping the report being people over 60, which shows how vulnerable older adults are to cybercrime. Both figures continue a worrying trend seen by the agency since 2019, where complaints and losses rise yearly. For 2023, the types of crimes that increased were tech support scams and extortion, whereas phishing, personal data breach, and non-payment/non-delivery scams slightly waned.

A directive known as Document 79 ramps up Beijing's effort to replace U.S. tech with homegrown alternatives. From a report: For American tech companies in China, the writing is on the wall. It's also on paper, in Document 79. The 2022 Chinese government directive expands a drive that is muscling U.S. technology out of the country -- an effort some refer to as "Delete A," for Delete America. Document 79 was so sensitive that high-ranking officials and executives were only shown the order and weren't allowed to make copies, people familiar with the matter said. It requires state-owned companies in finance, energy and other sectors to replace foreign software in their IT systems by 2027.

American tech giants had long thrived in China as they hot-wired the country's meteoric industrial rise with computers, operating systems and software. Chinese leaders want to sever that relationship, driven by a push for self-sufficiency and concerns over the country's long-term security. The first targets were hardware makers. Dell, International Business Machines and Cisco Systems have gradually seen much of their equipment replaced by products from Chinese competitors.

Document 79, named for the numbering on the paper, targets companies that provide the software -- enabling daily business operations from basic office tools to supply-chain management. The likes of Microsoft and Oracle are losing ground in the field, one of the last bastions of foreign tech profitability in the country. The effort is just one salvo in a yearslong push by Chinese leader Xi Jinping for self-sufficiency in everything from critical technology such as semiconductors and fighter jets to the production of grain and oilseeds. The broader strategy is to make China less dependent on the West for food, raw materials and energy, and instead focus on domestic supply chains.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) will start providing more hands-on support to open-source software developers as they work to better secure their projects, the agency said. From a report: CISA hosted a two-day, invite-only summit this week with leaders in the open-source software community and other federal officials. During the private event, the agency also ran what's likely the first tabletop exercise to assess how well the government and the open-source community would respond to a cyberattack targeting one of their projects.

During the summit, CISA and a handful of package repositories unveiled new initiatives to help secure open-source projects. CISA is working on a new communication channel where open-source software developers can share threat intelligence and ask the agency for assistance during an incident. The Rust Foundation is developing new public key infrastructure for its repository, which will help ensure that the code developers are uploading isn't malicious and is coming from legitimate users.

npm, which manages the JavaScript programming language, is requiring project maintainers to enroll in multi-factor authentication and is rolling out a tool to generate "software bills of materials," which provide a recipe list of what code and other elements are in a project. Additional repositories -- including the Python Software Foundation, Packagist, Composer and Maven Central -- are pursuing similar projects and also also rolling out tools to help detect and report malware and other security vulnerabilities.

An anonymous reader quotes a report from the BBC: A group of US lawmakers has introduced a bill that would require Chinese tech giant ByteDance to sell off the popular video-sharing TikTok app within six months or face a ban. For years American officials have raised concerns that data from the app could fall into the hands of the Chinese government. A bipartisan set of 19 lawmakers introduced the legislation on Tuesday. TikTok called the bill a disguised "outright ban."

In a statement announcing the bill, the lawmakers said "applications like TikTok that are controlled by foreign adversaries pose an unacceptable risk to US national security." The bill would give ByteDance 165 days to divest, or it would be blocked from the app store and web hosting platforms in the US. TikTok has previously argued against divestment, saying a change in ownership would not impose new restrictions on data use. [...] The House Energy and Commerce Committee said it would consider the latest bill on Thursday. "This legislation will trample the First Amendment rights of 170 million Americans and deprive 5 million small businesses of a platform they rely on to grow and create jobs," TikTok said in a statement to the BBC.

Former President Donald Trump attempted to completely ban TikTok in 2020, but that was unsuccessful. More recently, a group of senators introduced legislation to block TikTok last year, but it was stalled due to lobbying from the company.

An anonymous reader quotes a report from Ars Technica: VMware is urging customers to patch critical vulnerabilities that make it possible for hackers to break out of sandbox and hypervisor protections in all versions, including out-of-support ones, of VMware ESXi, Workstation, Fusion, and Cloud Foundation products. A constellation of four vulnerabilities -- two carrying severity ratings of 9.3 out of a possible 10 -- are serious because they undermine the fundamental purpose of the VMware products, which is to run sensitive operations inside a virtual machine that's segmented from the host machine. VMware officials said that the prospect of a hypervisor escape warranted an immediate response under the company's IT Infrastructure Library, a process usually abbreviated as ITIL.

"In ITIL terms, this situation qualifies as an emergency change, necessitating prompt action from your organization," the officials wrote in a post. "However, the appropriate security response varies depending on specific circumstances." Among the specific circumstances, one concerns which vulnerable product a customer is using, and another is whether and how it may be positioned behind a firewall. A VMware advisory included the following matrix showing how the vulnerabilities -- tracked as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255 -- affect each of the vulnerable products [...]. Three of the vulnerabilities affect the USB controller the products use to support peripheral devices such as keyboards and mice.

Broadcom, the VMware parent company, is urging customers to patch vulnerable products. As a workaround, users can remove USB controllers from vulnerable virtual machines, but Broadcom stressed that this measure could degrade virtual console functionality and should be viewed as only a temporary solution. In an article explaining how to remove a USB controller, officials wrote: "The workaround is to remove all USB controllers from the Virtual Machine. As a result, USB passthrough functionality will be unavailable. In addition, virtual/emulated USB devices, such as VMware virtual USB stick or dongle, will not be available for use by the virtual machine. In contrast, the default keyboard/mouse as input devices are not affected as they are, by default, not connected through USB protocol but have a driver that does software device emulation in the guest OS.

IMPORTANT:
Certain guest operating systems, including Mac OS, do not support using a PS/2 mouse and keyboard. These guest operating systems will be left without a mouse and keyboard without a USB controller."

Linwei Ding, a former Google software engineer, has been indicted for stealing trade secrets related to AI to benefit two Chinese companies. He faces up to 10 years in prison and a $250,000 fine on each criminal count. Reuters reports: Ding's indictment was unveiled a little over a year after the Biden administration created an interagency Disruptive Technology Strike Force to help stop advanced technology being acquired by countries such as China and Russia, or potentially threaten national security. "The Justice Department just will not tolerate the theft of our trade secrets and intelligence," U.S. Attorney General Merrick Garland said at a conference in San Francisco.

According to the indictment, Ding stole detailed information about the hardware infrastructure and software platform that lets Google's supercomputing data centers train large AI models through machine learning. The stolen information included details about chips and systems, and software that helps power a supercomputer "capable of executing at the cutting edge of machine learning and AI technology," the indictment said. Google designed some of the allegedly stolen chip blueprints to gain an edge over cloud computing rivals Amazon.com and Microsoft, which design their own, and reduce its reliance on chips from Nvidia.

Hired by Google in 2019, Ding allegedly began his thefts three years later, while he was being courted to become chief technology officer for an early-stage Chinese tech company, and by May 2023 had uploaded more than 500 confidential files. The indictment said Ding founded his own technology company that month, and circulated a document to a chat group that said "We have experience with Google's ten-thousand-card computational power platform; we just need to replicate and upgrade it." Google became suspicious of Ding in December 2023 and took away his laptop on Jan. 4, 2024, the day before Ding planned to resign. A Google spokesperson said: "We have strict safeguards to prevent the theft of our confidential commercial information and trade secrets. After an investigation, we found that this employee stole numerous documents, and we quickly referred the case to law enforcement."

An anonymous reader quotes a report from TechCrunch: Google today is sharing more details about the fees that will accompany its plan to comply with Europe's new Digital Markets Act (DMA), the new regulation aimed at increasing competition across the app store ecosystem. While Google yesterday pointed to ways it already complied with the DMA -- by allowing sideloading of apps, for example -- it hadn't yet shared specifics about the fees that would apply to developers, noting that further details would come out this week. That time is now, as it turns out.

Today, Google shared that there will be two fees that apply to its External offers program, also announced yesterday. This new program allows Play Store developers to lead their users in the EEA outside their app, including to promote offers. With these fees, Google is going the route of Apple, which reduced its App Store commissions in the EU to comply with the DMA but implemented a new Core Technology Fee that required developers to pay 0.50 euros for each first annual install per year over a 1 million threshold for apps distributed outside the App Store. Apple justified the fee by explaining that the services it provides developers extend beyond payment processing and include the work it does to support app creation and discovery, craft APIs, frameworks and tools to support developers' app creation work, fight fraud and more.

Google is taking a similar tactic, saying today that "Google Play's service fee has never been simply a fee for payment processing -- it reflects the value provided by Android and Play and supports our continued investments across Android and Google Play, allowing for the user and developer features that people count on," a blog post states. It says there will now be two fees that accompany External Offers program transactions:

- An initial acquisition fee, which is 10% for in-app purchases or 5% for subscriptions for two years. Google says this fee represents the value that Play provided in facilitating the initial user acquisition through the Play Store.
- An ongoing services fee, which is 17% for in-app purchases or 7% for subscriptions. This reflects the "broader value Play provides users and developers, including ongoing services such as parental controls, security scanning, fraud prevention, and continuous app updates," writes Google.

Of note, a developer can opt out of the ongoing services and corresponding fees, if the user agrees, after two years. Users who initially installed the app believe they'll have services like parental controls, security scanning, fraud prevention and continuous app updates, which is why opting out requires user consent. Although Google allows the developer to terminate this fee, those ongoing services will no longer apply either. Developers, however, will still be responsible for reporting transactions involving those users who are continuing to receive Play Store services.

An anonymous reader quotes a report from The Register: Criminals have probably stolen nearly 30,000 Fidelity Investments Life Insurance customers' personal and financial information -- including bank account and routing numbers, credit card numbers and security or access codes -- after breaking into Infosys' IT systems in the fall. According to Fidelity, in documents filed with the Maine attorney general's office, miscreants "likely acquired" information about 28,268 people's life insurance policies after infiltrating Infosys.

"At this point, [Infosys] are unable to determine with certainty what personal information was accessed as a result of this incident," the insurer noted in a letter [PDF] sent to customers. However, the US-headquartered firm says it "believes" the data included: names, Social Security numbers, states of residence, bank accounts and routing numbers, or credit/debit card numbers in combination with access code, password, and PIN for the account, and dates of birth. In other words: Potentially everything needed to drain a ton of people's bank accounts, pull off any number of identity theft-related scams -- or at least go on a massive online shopping spree.

LockBit claimed to be behind the Infosys intrusion in November, shortly after the Indian tech services titan disclosed the "cybersecurity incident" affecting its US subsidiary, Infosys McCamish Systems aka IMS. It reported that the intrusion shuttered some of its applications and IT systems [PDF]. This was before law enforcement shut down at least some of LockBit's infrastructure in December, although that's never a guarantee that the gang will slink off into obscurity -- as we're already seen. "Since learning of this event, we have been engaged with IMS to understand IMS's actions to investigate and contain the event, implement remedial measures, and safely restore its services," Fidelity assured its customers. "In addition, we remain engaged with IMS as they continue their investigation of this incident and its impact on the data they maintain."

An anonymous reader quotes a report from Krebs on Security: There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. "ALPHV") as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change's network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate's disclosure appears to have prompted BlackCat to cease operations entirely. [...]

The affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. BlackCat is known as a "ransomware-as-service" collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. And those affiliates in turn earn commissions ranging from 60 to 90 percent of any ransom amount paid. "But after receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin," the affiliate "Notchy" wrote. "Sadly for Change Healthcare, their data [is] still with us." [...] On the bright side, Notchy's complaint seems to have been the final nail in the coffin for the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized the BlackCat website and released a decryption tool to help victims recover their systems. BlackCat responded by re-forming, and increasing affiliate commissions to as much as 90 percent. The ransomware group also declared it was formally removing any restrictions or discouragement against targeting hospitals and healthcare providers. However, instead of responding that they would compensate and placate Notchy, a representative for BlackCat said today the group was shutting down and that it had already found a buyer for its ransomware source code. [...] BlackCat's website now features a seizure notice from the FBI, but several researchers noted that this image seems to have been merely cut and pasted from the notice the FBI left in its December raid of BlackCat's network.

Fabian Wosar, head of ransomware research at the security firm Emsisoft, said it appears BlackCat leaders are trying to pull an "exit scam" on affiliates by withholding many ransomware payment commissions at once and shutting down the service. "ALPHV/BlackCat did not get seized," Wosar wrote on Twitter/X today. "They are exit scamming their affiliates. It is blatantly obvious when you check the source code of their new takedown notice." Dmitry Smilyanets, a researcher for the security firm Recorded Future, said BlackCat's exit scam was especially dangerous because the affiliate still has all the stolen data, and could still demand additional payment or leak the information on his own. "The affiliates still have this data, and they're mad they didn't receive this money, Smilyanets told Wired.com. "It's a good lesson for everyone. You cannot trust criminals; their word is worth nothing."