Security

Is AI-Driven 0-Day Detection Here? (zeropath.com) 25

"AI-driven 0-day detection is here," argues a new blog post from ZeroPath, makers of a GitHub app that "detects, verifies, and issues pull requests for security vulnerabilities in your code."

They write that AI-assisted security research "has been quietly advancing" since early 2023, when researchers at the DARPA and ARPA-H's Artificial Intelligence Cyber Challenge demonstrated the first practical applications of LLM-powered vulnerability detection — with new advances continuing. "Since July 2024, ZeroPath's tool has uncovered critical zero-day vulnerabilities — including remote code execution, authentication bypasses, and insecure direct object references — in popular AI platforms and open-source projects." And they ultimately identified security flaws in projects owned by Netflix, Salesforce, and Hulu by "taking a novel approach combining deep program analysis with adversarial AI agents for validation. Our methodology has uncovered numerous critical vulnerabilities in production systems, including several that traditional Static Application Security Testing tools were ill-equipped to find..." TL;DR — most of these bugs are simple and could have been found with a code review from a security researcher or, in some cases, scanners. The historical issue, however, with automating the discovery of these bugs is that traditional SAST tools rely on pattern matching and predefined rules, and miss complex vulnerabilities that do not fit known patterns (i.e. business logic problems, broken authentication flaws, or non-traditional sinks such as from dependencies). They also generate a high rate of false positives.

The beauty of LLMs is that they can reduce ambiguity in most of the situations that caused scanners to be either unusable or produce few findings when mass-scanning open source repositories... To do this well, you need to combine deep program analysis with an adversarial agents that test the plausibility of vulnerabilties at each step. The solution ends up mirroring the traditional phases of a pentest — recon, analysis, exploitation (and remediation which is not mentioned in this post)...

AI-driven vulnerability detection is moving fast... What's intriguing is that many of these vulnerabilities are pretty straightforward — they could've been spotted with a solid code review or standard scanning tools. But conventional methods often miss them because they don't fit neatly into known patterns. That's where AI comes in, helping us catch issues that might slip through the cracks.

"Many vulnerabilities remain undisclosed due to ongoing remediation efforts or pending responsible disclosure processes," according to the blog post, which includes a pie chart showing the biggest categories of vulnerabilities found:
  • 53%: Authorization flaws, including roken access control in API endpoints and unauthorized Redis access and configuration exposure. ("Impact: Unauthorized access, data leakage, and resource manipulation across tenant boundaries.")
  • 26%: File operation issues, including directory traversal in configuration loading and unsafe file handling in upload features. ("Impact: Unauthorized file access, sensitive data exposure, and potential system compromise.")
  • 16%: Code execution vulnerabilities, including command injection in file processing and unsanitized input in system commands. ("Impact: Remote code execution, system command execution, and potential full system compromise.")

The company's CIO/cofounder was "former Red Team at Tesla," according to the startup's profile at YCombinator, and earned over $100,000 as a bug-bounty hunter. (And another co-founded is a former Google security engineer.)

Thanks to Slashdot reader Mirnotoriety for sharing the article.


China

How America's Export Controls Failed to Keep Cutting-Edge AI Chips from China's Huawei (stripes.com) 40

An anonymous reader shared this report from the Washington Post: A few weeks ago, analysts at a specialized technological lab put a microchip from China under a powerful microscope. Something didn't look right... The microscopic proof was there that a chunk of the electronic components from Chinese high-tech champion Huawei Technologies had been produced by the world's most advanced chipmaker, Taiwan Semiconductor Manufacturing Company.

That was a problem because two U.S. administrations in succession had taken actions to assure that didn't happen. The news of the breach of U.S. export controls, first reported in October by the tech news site the Information, has sent a wave of concern through Washington... The chips were routed to Huawei through Sophgo Technologies, the AI venture of a Chinese cryptocurrency billionaire, according to two people familiar with the matter, speaking on the condition of anonymity to discuss a sensitive topic... "It raises some fundamental questions about how well we can actually enforce these rules," said Emily Kilcrease, a senior fellow at the Center for a New American Security in Washington... Taiwan's Ministry of Economic Affairs confirmed that TSMC recently halted shipments to a "certain customer" and notified the United States after suspecting that customer might have directed its products to Huawei...

There's been much intrigue in recent days in the industry over how the crypto billionaire's TSMC-made chips reportedly ended up at Huawei. Critics accuse Sophgo of working to help Huawei evade the export controls, but it is also possible that they were sold through an intermediary, which would align with Sophgo's denial of having any business relationship with Huawei... While export controls are often hard to enforce, semiconductors are especially hard to manage due to the large and open nature of the global chip trade. Since the Biden administration implemented sweeping controls in 2022, there have been reports of widespread chip smuggling and semiconductor black markets allowing Chinese companies to access necessary chips...

Paul Triolo, technology policy lead at Albright Stonebridge Group, said companies were trying to figure out what lengths they had to go to for due diligence: "The guidelines are murky."

Security

Okta Fixes Login Bypass Flaw Tied To Lengthy Usernames 32

Identity management firm Okta said Friday it has patched a critical authentication bypass vulnerability that affected customers using usernames longer than 52 characters in its AD/LDAP delegated authentication service.

The flaw, introduced on July 23 and fixed October 30, allowed attackers to authenticate using only a username if they had access to a previously cached key. The bug stemmed from Okta's use of the Bcrypt algorithm to generate cache keys from combined user credentials. The company switched to PBKDF2 to resolve the issue and urged affected customers to audit system logs.
Bitcoin

US Indicts 26-Year-Old Gotbit Founder For Market Manipulation (crypto.news) 21

The feds have indicted Aleksei Andriunin, a 26-year-old Russian national and founder of Gotbit, on charges of wire fraud and conspiracy to commit market manipulation. Crypto News reports: According to the U.S. Attorney's Office, the indictment alleges that Andriunin and his firm participated in a long-running scheme to artificially boost trading volumes for various cryptocurrency companies, including some based in the United States, to make them appear more popular and increase their trading value. Andriunin allegedly led these activities between 2018 and 2024 as Gotbit's CEO. He could face up to 20 years in prison, additional fines, and asset forfeiture if convicted, according to the U.S. Attorney's Office. Prosecutors say the scheme involved "wash trading," where the firm used its software to make fake trades that inflated a cryptocurrency's trading volume. This practice, called market manipulation, can mislead investors by giving the impression that demand for a particular cryptocurrency is higher than it actually is. Wash trades are illegal in traditional finance and are considered fraudulent because they deceive investors and manipulate market behavior.

Court documents also identify Gotbit's two directors, Fedor Kedrov and Qawi Jalili, as co-conspirators. The indictment claims Gotbit documented these activities in detailed records, tracking differences between genuine and artificial trading volumes. The firm allegedly pitched these services to prospective clients, explaining how Gotbit's tactics would bypass detection on public blockchains, where transactions are recorded transparently. The U.S. Department of Justice has announced that it seized over $25 million worth of cryptocurrency assets connected to these schemes and made four arrests across multiple firms.
If you've been following the crypto industry, you're probably familiar with "pump-and-dump" schemes that have popped up throughout the years. Although it's a form of market manipulation, it's not quite the same as "wash trading."

In a pump-and-dump scheme, the perpetrator artificially inflates the price of a security (often a low-priced or thinly traded stock) by spreading misleading or exaggerated information to attract other buyers, who then drive up the price. Once the price has risen due to increased demand, the manipulators "dump" their shares at the inflated price, selling to the new buyers and pocketing the profits. The price typically crashes after the dump, leaving unsuspecting investors with overvalued shares and significant losses.

Wash trading, on the other hand, involves simultaneously buying and selling of the same asset to create the illusion of higher trading volume and activity. The purpose is to mislead other investors about the asset's liquidity and demand, often giving the impression that it is more popular or actively traded than it actually is. Wash trades usually occur without real changes in ownership or price movement, as the buyer and seller may even be the same person or entity. This tactic can manipulate prices indirectly by creating a perception of interest, but it does not involve a direct inflation followed by a sell-off, like a pump-and-dump scheme.
Security

Inside a Firewall Vendor's 5-Year War With the Chinese Hackers Hijacking Its Devices (wired.com) 33

British cybersecurity firm Sophos revealed this week that it waged a five-year battle against Chinese hackers who repeatedly targeted its firewall products to breach organizations worldwide, including nuclear facilities, military sites and critical infrastructure. The company told Wired that it traced the attacks to researchers in Chengdu, China, linked to Sichuan Silence Information Technology and the University of Electronic Science and Technology.

Sophos planted surveillance code on its own devices used by the hackers, allowing it to monitor their development of sophisticated intrusion tools, including previously unseen "bootkit" malware designed to hide in the firewalls' boot code. The hackers' campaigns evolved from mass exploitation in 2020 to precise attacks on government agencies and infrastructure across Asia, Europe and the United States. Wired story adds: Sophos' report also warns, however, that in the most recent phase of its long-running conflict with the Chinese hackers, they appear more than ever before to have shifted from finding new vulnerabilities in firewalls to exploiting outdated, years-old installations of its products that are no longer receiving updates. That means, company CEO Joe Levy writes in an accompanying document, that device owners need to get rid of unsupported "end-of-life" devices, and security vendors need to be clear with customers about the end-of-life dates of those machines to avoid letting them become unpatched points of entry onto their network. Sophos says it's seen more than a thousand end-of-life devices targeted in just the past 18 months.

"The only problem now isn't the zero-day vulnerability," says Levy, using the term "zero-day" to mean a newly discovered hackable flaw in software that has no patch. "The problem is the 365-day vulnerability, or the 1,500-day vulnerability, where you've got devices that are on the internet that have lapsed into a state of neglect."

AI

US Army Should Ditch Tanks For AI Drones, Says Eric Schmidt (theregister.com) 368

Former Google chief Eric Schmidt thinks the US Army should expunge "useless" tanks and replace them with AI-powered drones instead. From a report: Speaking at the Future Investment Initiative in Saudi Arabia this week, he said: "I read somewhere that the US had thousands and thousands of tanks stored somewhere," adding, "Give them away. Buy a drone instead."

The former Google supremo's argument is that recent conflicts, such as the war in Ukraine, have demonstrated how "a $5,000 drone can destroy a $5 million tank." In fact, even cheaper drones, similar to those commercially available for consumers, have been shown in footage on social media dropping grenades through the open turret hatch of tanks. Schmidt, who was CEO of Google from 2001 to 2011, then executive chairman to 2015, and executive chairman of Alphabet to 2018, founded White Stork with the aim of supporting Ukraine's war effort. It hopes to achieve this by developing a low-cost drone that can use AI to acquire its target rather than being guided by an operator and can function in environments where GPS jamming is in operation.

Notably, Schmidt also served as chair of the US government's National Security Commission on Artificial Intelligence (NSCAI), which advised the President and Congress about national security and defense issues with regard to AI. "The cost of autonomy is falling so quickly that the drone war, which is the future of conflict, will get rid of eventually tanks, artillery, mortars," Schmidt predicted.

Windows

Want To Keep Getting Windows 10 Updates? It'll Cost You $30 (pcworld.com) 95

With Windows 10 support set to expire on October 14, 2025, Microsoft is offering a one-time, one-year Extended Security Updates plan for consumers. "For $30, you'll receive 'critical' and 'important' security updates -- basically security patches that will continue to protect your Windows 10 PC from any vulnerabilities," reports PCWorld. "That $30 is for one year's worth of updates, and that's the only option at this time." From the report: Microsoft has been warning users for years that Windows 10 support will expire in 2025, specifically October 14, 2025. At that point, Windows 10 will officially fall out of support: there will be no more feature updates or security patches. On paper, that would mean that any Windows 10 PC will be at risk of any new vulnerabilities that researchers uncover.

Previously, Microsoft had quietly hinted that consumers would be offered the same ESU protections offered to businesses and enterprises, as it did in December 2023 and again in an "editor's note" shared in an April 2024 support post, in which the company said that "details will be shared at a later date for consumers." That time is now, apparently.

Back in December 2023, Microsoft offered the ESU on an annual basis to businesses for three years, one year at a time. The fees would double each year, charging businesses hundreds of dollars for the privilege. Consumers won't be offered the same deal, as a Microsoft representative said via email that it'll be a "one-time, one-year option for $30."

Canada

Chinese Attackers Accessed Canadian Government Networks For Five Years (theregister.com) 11

Canada's Communications Security Establishment (CSE) revealed a sustained cyber campaign by the People's Republic of China, targeting Canadian government and private sector networks over the past five years. The report also flagged India, alongside Russia and Iran, as emerging cyber threats. The Register reports: The biennial National Cyber Threat Assessment described the People's Republic of China's (PRC) cyber operations against Canada as "second to none." Their purpose is to "serve high-level political and commercial objectives, including espionage, intellectual property (IP) theft, malign influence, and transnational repression." Over the past four years, at least 20 networks within Canadian government agencies and departments were compromised by PRC cyber threat actors. The CSE assured citizens that all known federal government compromises have been resolved, but warned that "the actors responsible for these intrusions dedicated significant time and resources to learn about the target networks."

The report also alleges that government officials -- particularly those perceived as being critical of the Chinese Communist Party (CCP) -- were attacked. One of those attacks includes an email operation against members of Interparliamentary Alliance on China. The purpose of the cyber attacks is mainly to gain information that would lead to strategic, economic, and diplomatic advantages. The activity appears to have intensified following incidents of bilateral tension between Canada and the PRC, after which Beijing apparently wanted to gather timely intelligence on official reactions and unfolding developments, according to the report. Canada's private sector is also in the firing line, with the CSE suggesting "PRC cyber threat actors have very likely stolen commercially sensitive data from Canadian firms and institutions." Operations that collect information that could support the PRC's economic and military interests are priority targets.

Privacy

Colorado Agency 'Improperly' Posted Passwords for Its Election System Online (gizmodo.com) 93

For months, the Colorado Department of State inadvertently exposed partial passwords for voting machines in a public spreadsheet. "While the incident is embarrassing and already fueling accusations from the state's Republican party, the department said in a statement that it 'does not pose an immediate security threat to Colorado's elections, nor will it impact how ballots are counted,'" reports Gizmodo. From the report: Colorado NBC affiliate station 9NEWS reported that Hope Scheppelman, vice chair of the state's Republican party, revealed the error in a mass email sent Tuesday morning, which included an affidavit from a person who claimed to have downloaded the spreadsheet and discovered the passwords by clicking a button to reveal hidden tabs.

In its statement, the Department of State said that there are two unique passwords for each of its voting machines, which are stored in separate places. Additionally, the passwords can only be used by a person who is physically operating the system and voting machines are stored in secure areas that require ID badges to access and are under 24/7 video surveillance.

"The Department took immediate action as soon as it was aware of this, and informed the Cybersecurity and Infrastructure Security Agency, which closely monitors and protects the [country's] essential security infrastructure," The department said, adding that it is "working to remedy this situation where necessary." Colorado voters use paper ballots, ensuring that a physical paper trail that can be used to verify results tabulated electronically.

Canada

Canada Predicts Hacking From India as Diplomatic Feud Escalates (bloomberg.com) 97

Canada is bracing for Indian government-backed hacking as the two nations' diplomatic relationship nosedives to its lowest ebb in a generation. From a report: "We judge that official bilateral relations between Canada and India will very likely drive Indian state-sponsored cyber threat activity against Canada," the Canadian Centre for Cyber Security said in its annual threat report published Wednesday, adding that such hackers are probably already conducting cyber-espionage.

This month, Prime Minister Justin Trudeau's cabinet and Canadian police have ramped up a remarkable campaign of public condemnations against India, accusing Narendra Modi's officials of backing a wave of violence and extortion against Canadians on Canadian soil -- particularly those who agitate for carving out a separate Sikh state in India called Khalistan. India has rejected the accusations and believes some Khalistan activists to be terrorists harbored by Canada.

Security

Fired Employee Allegedly Hacked Disney World's Menu System to Alter Peanut Allergy Information (404media.co) 135

An anonymous reader shares a report: A disgruntled former Disney employee allegedly repeatedly hacked into a third-party menu creation software used by Walt Disney World's restaurants and changed allergy information on menus to say that foods that had peanuts in them were safe for people with allergies, added profanity to menus, and at one point changed all fonts used on menus to Wingdings, according to a federal criminal complaint.

The suspect in the case, Michael Scheuer, broke into a proprietary menu creation and inventory system that was developed by a third-party company exclusively for Disney and is used to print menus for its restaurants, the complaint alleges. The complaint alleges he did this soon after being fired by Disney using passwords that he still had access to on several different systems. Once inside the systems, he allegedly altered menus and, in once case, broke the software for several weeks.

"The threat actor manipulated the allergen information on menus by adding information to some allergen notifications that indicated certain menu items were safe for individuals with peanut allergies, when in fact they could be deadly to those with peanut allergies," the criminal complaint states. According to the complaint, the menus were caught by Disney after they were printed but before they were distributed to Disney restaurants. Disney's menus have extensive "allergy friendly" sections.

AI

GitHub Copilot Moves Beyond OpenAI Models To Support Claude 3.5, Gemini 9

GitHub Copilot will switch from using exclusively OpenAI's GPT models to a multi-model approach, adding Anthropic's Claude 3.5 Sonnet and Google's Gemini 1.5 Pro. Ars Technica reports: First, Anthropic's Claude 3.5 Sonnet will roll out to Copilot Chat's web and VS Code interfaces over the next few weeks. Google's Gemini 1.5 Pro will come a bit later. Additionally, GitHub will soon add support for a wider range of OpenAI models, including GPT o1-preview and o1-mini, which are intended to be stronger at advanced reasoning than GPT-4, which Copilot has used until now. Developers will be able to switch between the models (even mid-conversation) to tailor the model to fit their needs -- and organizations will be able to choose which models will be usable by team members.

The new approach makes sense for users, as certain models are better at certain languages or types of tasks. "There is no one model to rule every scenario," wrote [GitHub CEO Thomas Dohmke]. "It is clear the next phase of AI code generation will not only be defined by multi-model functionality, but by multi-model choice." It starts with the web-based and VS Code Copilot Chat interfaces, but it won't stop there. "From Copilot Workspace to multi-file editing to code review, security autofix, and the CLI, we will bring multi-model choice across many of GitHub Copilot's surface areas and functions soon," Dohmke wrote. There are a handful of additional changes coming to GitHub Copilot, too, including extensions, the ability to manipulate multiple files at once from a chat with VS Code, and a preview of Xcode support.
GitHub also introduced "Spark," a natural language-based app development tool that enables both non-coders and coders to create and refine applications using conversational prompts. It's currently in an early preview phase, with a waitlist available for those who are interested.
Security

Local Privilege Escalation Vulnerability Affecting X.Org Server For 18 Years (phoronix.com) 43

Phoronix's Michael Larabel reports: CVE-2024-9632 was made public today as the latest security vulnerability affecting the X.Org Server. The CVE-2024-9632 security issue has been present in the codebase now for 18 years and can lead to local privilege escalation. Introduced in the X.Org Server 1.1.1 release back in 2006, CVE-2024-9632 affects the X.Org Server as well as XWayland too. By providing a modified bitmap to the X.Org Server, a heap-based buffer overflow privilege escalation can occur.

This security issue is within _XkbSetCompatMap() and stems from not updating the heap size properly and can lead to local privilege escalation if the server is run as root or as a remote code execution with X11 over SSH.
You can read the security advisory announcement here.
Privacy

Fitness App Strava Gives Away Location of Foreign Leaders, Report Finds 27

French newspaper Le Monde found that the fitness app Strava can easily track confidential movements of foreign leaders, including U.S. President Joe Biden, and presidential rivals Donald Trump and Kamala Harris. The Independent reports: Le Monde found that some U.S. Secret Service agents use the Strava fitness app, including in recent weeks after two assassination attempts on Trump, in a video investigation released in French and in English. Strava is a fitness tracking app primarily used by runners and cyclists to record their activities and share their workouts with a community. Le Monde also found Strava users among the security staff for French President Emmanuel Macron and Russian President Vladimir Putin. In one example, Le Monde traced the Strava movements of Macron's bodyguards to determine that the French leader spent a weekend in the Normandy seaside resort of Honfleur in 2021. The trip was meant to be private and wasn't listed on the president's official agenda.

Le Monde said the whereabouts of Melania Trump and Jill Biden could also be pinpointed by tracking their bodyguards' Strava profiles. In a statement to Le Monde, the U.S. Secret Service said its staff aren't allowed to use personal electronic devices while on duty during protective assignments but "we do not prohibit an employee's personal use of social media off-duty." "Affected personnel has been notified," it said. "We will review this information to determine if any additional training or guidance is required." "We do not assess that there were any impacts to protective operations or threats to any protectees," it added. Locations "are regularly disclosed as part of public schedule releases."

In another example, Le Monde reported that a U.S. Secret Service agent's Strava profile revealed the location of a hotel where Biden subsequently stayed in San Francisco for high-stakes talks with Chinese President Xi Jinping in 2023. A few hours before Biden's arrival, the agent went jogging from the hotel, using Strava which traced his route, the newspaper found. The newspaper's journalists say they identified 26 U.S. agents, 12 members of the French GSPR, the Security Group of the Presidency of the Republic, and six members of the Russian FSO, or Federal Protection Service, all of them in charge of presidential security, who had public accounts on Strava and were therefore communicating their movements online, including during professional trips. Le Monde did not identify the bodyguards by name for security reasons.
Security

Banks and Regulators Warn of Rise in 'Quishing' QR Code Scams 56

Banks and regulators are warning that QR code phishing scams -- also known as "quishing" -- are slipping through corporate cyber defences and increasingly tricking customers into giving up their financial details. From a report: Lenders including Santander, HSBC, and TSB have joined the UK National Cyber Security Centre and US Federal Trade Commission among others to raise concerns about a rise in fraudulent QR codes being deployed for sophisticated fraud campaigns.

The new type of email scam often involves criminals sending QR codes in attached PDFs. Experts said the strategy is effective because the messages frequently get through corporate cyber security filters -- software that typically flags malicious website links, but often does not scan images within attachments. "The appeal for criminals is that it's bypassing all of the [cyber security] training and it's also bypassing our products," said Chester Wisniewski, a senior adviser at security software company Sophos.
Software

Can the EU Hold Software Makers Liable For Negligence? (lawfaremedia.org) 132

When it comes to introducing liability for software products, "the EU and U.S. are taking very different approaches," according to Lawfare's cybersecurity newsletter. "While the U.S. kicks the can down the road, the EU is rolling a hand grenade down it to see what happens." Under the status quo, the software industry is extensively protected from liability for defects or issues, and this results in systemic underinvestment in product security. Authorities believe that by making software companies liable for damages when they peddle crapware, those companies will be motivated to improve product security... [T]he EU has chosen to set very stringent standards for product liability, apply them to people rather than companies, and let lawyers sort it all out.

Earlier this month, the EU Council issued a directive updating the EU's product liability law to treat software in the same way as any other product. Under this law, consumers can claim compensation for damages caused by defective products without having to prove the vendor was negligent or irresponsible. In addition to personal injury or property damages, for software products, damages may be awarded for the loss or destruction of data. Rather than define a minimum software development standard, the directive sets what we regard as the highest possible bar. Software makers can avoid liability if they prove a defect was not discoverable given the "objective state of scientific and technical knowledge" at the time the product was put on the market.

Although the directive is severe on software makers, its scope is narrow. It applies only to people (not companies), and damages for professional use are explicitly excluded. There is still scope for collective claims such as class actions, however. The directive isn't law itself but sets the legislative direction for EU member states, and they have two years to implement its provisions. The directive commits the European Commission to publicly collating court judgements based on the directive, so it will be easy to see how cases are proceeding.

Major software vendors used by the world's most important enterprises and governments are publishing comically vulnerable code without fear of any blowback whatsoever. So yes, the status quo needs change. Whether it needs a hand grenade lobbed at it is an open question. We'll have our answer soon.

Cloud

Researchers Discover Flaws In Five End-to-End Encrypted Cloud Services (scworld.com) 33

SC World reports: Several major end-to-end encrypted cloud storage services contain cryptographic flaws that could lead to loss of confidentiality, file tampering, file injection and more, researchers from ETH Zurich said in a paper published this month.

The five cloud services studied offer end-to-end encryption (E2EE), intended to ensure files can not be read or edited by anyone other than the uploader, meaning not even the cloud storage provider can access the files. However, ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong, who presented their findings at the ACM Conference on Computer and Communications Security (CCS) last week, found serious flaws in four out of the five services that could effectively bypass the security benefits provided by E2EE by enabling an attacker who managed to compromise a cloud server to access, tamper with or inject files.

The E2EE cloud storage services studied were Sync, pCloud, Seafile, Icedrive and Tresorit, which have a collective total of about 22 million users. Tresorit had the fewest vulnerabilities, which could enable some metadata tampering and use of non-authentic keys when sharing files. The other four services were found to have more severe flaws posing a greater risk to file confidentiality and integrity.

BleepingComputer reports that Sync is "fast-tracking fixes," while Seafile "promised to patch the protocol downgrade problem on a future upgrade." And SC World does note that all 10 of the tested exploits "would require the attacker to have already gained control of a server with the ability to read, modify and inject data.

"The authors wrote that they consider this to be a realistic threat model for E2EE services, as these services are meant to protect files even if such a compromise was to occur."

Thanks to Slashdot reader spatwei for sharing the article.
Electronic Frontier Foundation

Egyptian Blogger/Developer Still Held in Prison 28 Days After His Release Date (eff.org) 51

In 2004 Alaa Abd El Fattah answered questions from Slashdot's readers about organizing the first-ever Linux installfest in Egypt.

In 2014 he was arrested for organizing poltical protests without requesting authorization, according to Wikipedia, and then released on bail — but then sentenced to five years in prison upon retrial. He was released in late March of 2019, but then re-arrested again in September by the National Security Agency, convicted of "spreading fake news" and jailed for five years...

Wikipedia describes Abd El-Fattah as an "Egyptian-British blogger, software developer and a political activist" who has been "active in developing Arabic-language versions of software and platforms." But this week an EFF blog post noticed that his released date had recently passed — and yet he was still in prison: It's been 28 days since September 29, the day that should have seen British-Egyptian blogger, coder, and activist Alaa Abd El Fattah walk free. Egyptian authorities refused to release him at the end of his sentence, in contradiction of the country's own Criminal Procedure Code, which requires that time served in pretrial detention count toward a prison sentence. [Human Rights Watch says Egyptian authorities are refusing to count more than two years of pretrial detention toward his time served. Amnesty International has also called for his release.] In the days since, Alaa's family has been able to secure meetings with high-level British officials, including Foreign Secretary David Lammy, but as of yet, the Egyptian government still has not released Alaa...

Alaa deserves to finally return to his family, now in the UK, and to be reunited with his son, Khaled, who is now a teenager. We urge EFF supporters in the UK to write to their MP to place pressure on the UK's Labour government to use their power to push for Alaa's release.

Last month the EFF wrote:: Over 20 years ago Alaa began using his technical skills to connect coders and technologists in the Middle East to build online communities where people could share opinions and speak freely and privately. The role he played in using technology to amplify the messages of his fellow Egyptians — as well as his own participation in the uprising in Tahrir Square — made him a prominent global voice during the Arab Spring, and a target for the country's successive repressive regimes, which have used antiterrorism laws to silence critics by throwing them in jail and depriving them of due process and other basic human rights.

Alaa is a symbol for the principle of free speech in a region of the world where speaking out for justice and human rights is dangerous and using the power of technology to build community is criminalized...

Bug

Apple Will Pay Security Researchers Up To $1 Million To Hack Its Private AI Cloud 6

An anonymous reader quotes a report from TechCrunch: Ahead of the debut of Apple's private AI cloud next week, dubbed Private Cloud Compute, the technology giant says it will pay security researchers up to $1 million to find vulnerabilities that can compromise the security of its private AI cloud. In a post on Apple's security blog, the company said it would pay up to the maximum $1 million bounty to anyone who reports exploits capable of remotely running malicious code on its Private Cloud Compute servers. Apple said it would also award researchers up to $250,000 for privately reporting exploits capable of extracting users' sensitive information or the prompts that customers submit to the company's private cloud.

Apple said it would "consider any security issue that has a significant impact" outside of a published category, including up to $150,000 for exploits capable of accessing sensitive user information from a privileged network position. "We award maximum amounts for vulnerabilities that compromise user data and inference request data outside the [private cloud compute] trust boundary," Apple said.
You can learn more about Apple's Private Cloud Computer service in their blog post. Its source code and documentation is available here.
United States

FBI Investigates Claims China Tried To Hack Donald Trump's Phone (ft.com) 43

Joe Biden's administration is investigating alleged Chinese efforts to hack US telecoms infrastructure amid reports hackers had targeted the phones of former president Donald Trump and his running mate JD Vance. Financial Times: The FBI and the Cybersecurity and Infrastructure Security Agency said they were investigating "unauthorised access to commercial telecommunications infrastructure by actors affiliated with the People's Republic of China."

The statement followed a report in the New York Times that Chinese hackers had accessed US telecoms networks and targeted data on Trump and Vance's phones. The FBI declined to say if the hackers had targeted their phones.

Steven Cheung, Trump's campaign spokesperson, blamed the alleged attack on Kamala Harris, the US vice-president and Democratic presidential nominee. But he declined to say if US authorities had informed the campaign about the hacking effort.

Cheung said: "This is the continuation of election interference by Kamala Harris and Democrats who will stop at nothing, including emboldening China and Iran attacking critical American infrastructure, to prevent president Trump from returning to the White House. Their dangerous and violent rhetoric has given permission to those who wish to harm president Trump."
Further reading:
Chinese Hackers Targeted Trump and Vance's Phone Data (CNN);

China Sought To Hack Trump, Vance and Campaign Phones, Officials Say (Washington Post);

Chinese Hackers Targeted Phones of Trump, Vance, and Harris Campaign (Wall Street Journal);

US Investigating Breach of Telecoms by China-Linked Hackers (Bloomberg);

Trump, Vance Potential Targets in Broad China-Backed Hacking Operation (CBS News);

Chinese Hackers Attempted To Breach Trump, Vance Cellphone Data: Report (Fox News);

Chinese Hackers Believed To Have Targeted Trump, Vance Cellphones: Sources (ABC News);

Chinese Hackers Targeted Cellphones Used by Trump, Vance (Associated Press).

Slashdot Top Deals