Firefox

Mozilla Releases Firefox 131 With Tab Preview and Text-Specific Links 25

Mozilla has released Firefox 131 for multiple platforms, addressing security vulnerabilities and introducing some new features. The update fixes at least seven high-risk security issues, none reportedly exploited in the wild. New features include Tab Preview, which displays thumbnails and details when hovering over background tabs, and temporary location permission storage. Firefox now also supports URL fragment text directives, allowing users to link to specific text passages on web pages.
Security

Even Password Manager Subscribers Reuse Passwords, Study Finds (pcmag.com) 61

An anonymous reader shares a report: It's not exactly breaking news that people reuse passwords, but you might expect password manager subscribers to avoid the practice. You'd be wrong, according to a new study. Dashlane's downer of a report draws on saved logins analyzed on-device by Dashlane's software across "millions" of individual and business accounts. It finds dismally high percentages of password reuse worldwide. The US and Canada rank the worst of every region Dashlane tracked, with 48% of passwords in individual password vaults being reused. Another 15% rate as compromised, meaning those passwords have shown up in data breaches.

Combined with other security data points, the US and Canada land at a security score of 72.6 out of 100 in Dashlane's report, the lowest of all 14 regions covered in the study. The report, along with the Password Health score that Dashlane's software computes for individual users, emphasizes the longstanding problem of password reuse because that practice leaves its practitioners so vulnerable to getting hacked.Â

Security

Attackers Exploit Critical Zimbra Vulnerability Using CC'd Email Addresses (arstechnica.com) 6

An anonymous reader quotes a report from Ars Technica: Attackers are actively exploiting a critical vulnerability in mail servers sold by Zimbra in an attempt to remotely execute malicious commands that install a backdoor, researchers warn. The vulnerability, tracked as CVE-2024-45519, resides in the Zimbra email and collaboration server used by medium and large organizations. When an admin manually changes default settings to enable the postjournal service, attackers can execute commands by sending maliciously formed emails to an address hosted on the server. Zimbra recently patched the vulnerability. All Zimbra users should install it or, at a minimum, ensure that postjournal is disabled.

On Tuesday, Security researcher Ivan Kwiatkowski first reported the in-the-wild attacks, which he described as "mass exploitation." He said the malicious emails were sent by the IP address 79.124.49[.]86 and, when successful, attempted to run a file hosted there using the tool known as curl. Researchers from security firm Proofpoint took to social media later that day to confirm the report. On Wednesday, security researchers provided additional details that suggested the damage from ongoing exploitation was likely to be contained. As already noted, they said, a default setting must be changed, likely lowering the number of servers that are vulnerable. [...]

Proofpoint has explained that some of the malicious emails used multiple email addresses that, when pasted into the CC field, attempted to install a webshell-based backdoor on vulnerable Zimbra servers. The full cc list was wrapped as a single string and encoded using the base64 algorithm. When combined and converted back into plaintext, they created a webshell at the path: /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp. Proofpoint went on to say: "Once installed, the webshell listens for inbound connection with a pre-determined JSESSIONID Cookie field; if present, the webshell will then parse the JACTION cookie for base64 commands. The webshell has support for command execution via exec or download and execute a file over a socket connection."

Crime

Police Arrest Four Suspects Linked To LockBit Ransomware Gang (bleepingcomputer.com) 10

Law enforcement from 12 countries arrested four individuals linked to the LockBit ransomware gang, including a developer and a bulletproof hosting administrator. The operation also resulted in the seizure of LockBit infrastructure and involved sanctions targeting affiliates of both LockBit and Evil Corp. BleepingComputer reports: According to Europol, a suspected LockBit ransomware developer was arrested in August 2024 at the request of French authorities while on holiday outside of Russia. The same month, the U.K.'s National Crime Agency (NCA) arrested two more individuals linked to LockBit activity: one believed to be associated with a LockBit affiliate, while the second was apprehended on suspicion of money laundering. In a separate action, at Madrid airport, Spain's Guardia Civil arrested the administrator of a bulletproof hosting service used to shield LockBit's infrastructure. Today, Australia, the United Kingdom, and the United States also revealed sanctions against an individual the UK NCA believes is a prolific LockBit ransomware affiliate linked to Evil Corp.

The United Kingdom sanctioned 15 more Russian nationals involved in Evil Corp's criminal activities, while the United States sanctioned six individuals and Australia targeted two. "These actions follow the massive disruption of LockBit infrastructure in February 2024, as well as the large series of sanctions and operational actions that took place against LockBit administrators in May and subsequent months," Europol said.

Iphone

The Feds Still Can't Get Into Eric Adams' Phone (theverge.com) 112

The Verge's Gaby Del Valle reports: New York City Mayor Eric Adams, who was indicted last week on charges including fraud, bribery, and soliciting donations from foreign nationals, told federal investigators he forgot his phone password before handing it over, according to charging documents. That was almost a year ago, and investigators still can't get into the phone, prosecutors said Wednesday.

During a federal court hearing, prosecutor Hagan Scotten said the FBI's inability to get into Adams' phone is a "significant wild card," according to a report from the New York Post. The FBI issued a search warrant for Adams' devices in November 2023. Adams initially handed over two phones but didn't have his personal device on him. The indictment does not mention what type of device Adams uses. When Adams turned in his personal cellphone the following day, charging documents say, he said he had changed the password a day prior -- after learning about the investigation -- and couldn't remember it. Adams told investigators he changed the password "to prevent members of his staff from inadvertently or intentionally deleting the contents of his phone," the indictment alleges.
The FBI just needs the right tools. When investigators failed to break into the Trump rally shooter's phone in July, they sent the device to the FBI lab in Quantico, Virginia, where agents used an unreleased tool from the Israeli company Cellebrite to crack it in less than an hour.
Privacy

Crooks Made Millions By Breaking Into Execs' Office365 Inboxes, Feds Say (arstechnica.com) 55

An anonymous reader quotes a report from Ars Technica: Federal prosecutors have charged a man for an alleged "hack-to-trade" scheme that earned him millions of dollars by breaking into the Office365 accounts of executives at publicly traded companies and obtaining quarterly financial reports before they were released publicly. The action, taken by the office of the US Attorney for the district of New Jersey, accuses UK national Robert B. Westbrook of earning roughly $3.75 million in 2019 and 2020 from stock trades that capitalized on the illicitly obtained information. After accessing it, prosecutors said, he executed stock trades. The advance notice allowed him to act and profit on the information before the general public could. The US Securities and Exchange Commission filed a separate civil suit against Westbrook seeking an order that he pay civil penalties and return all ill-gotten gains. [...]

By obtaining material information, Westbrook was able to predict how a company's stock would perform once it became public. When results were likely to drive down stock prices, he would place "put" options, which give the purchaser the right to sell shares at a specific price within a specified span of time. The practice allowed Westbrook to profit when shares fell after financial results became public. When positive results were likely to send stock prices higher, Westbrook allegedly bought shares while they were still low and later sold them for a higher price. The prosecutors charged Westbrook with one count each of securities fraud and wire fraud and five counts of computer fraud. The securities fraud count carries a maximum penalty of up to 20 years' prison time and $5 million in fines The wire fraud count carries a maximum penalty of up to 20 years in prison and a fine of either $250,000 or twice the gain or loss from the offense, whichever is greatest. Each computer fraud count carries a maximum five years in prison and a maximum fine of either $250,000 or twice the gain or loss from the offense, whichever is greatest.
"The SEC is engaged in ongoing efforts to protect markets and investors from the consequences of cyber fraud," Jorge G. Tenreiro, acting chief of the SEC's Crypto Assets and Cyber Unit, said in a statement. "As this case demonstrates, even though Westbrook took multiple steps to conceal his identity -- including using anonymous email accounts, VPN services, and utilizing bitcoin -- the Commission's advanced data analytics, crypto asset tracing, and technology can uncover fraud even in cases involving sophisticated international hacking."
Microsoft

Microsoft Is Discontinuing HoloLens 2, With No Replacement (uploadvr.com) 24

An anonymous reader shares a report: HoloLens 2 production has ended, Microsoft confirmed to UploadVR. Now is the last time to buy the device before stock runs out, the company has been telling its partners and customers. HoloLens 2 will continue to receive "updates to address critical security issues and software regressions" until December 31 2027. As soon as 2028 starts, software support for HoloLens 2 will end. For the original HoloLens headset from 2016, software support will end after December 10 of this year, just over two months from now. Production of it ended back in 2018. HoloLens 2 launched in 2019, three years after the original, with upgrades to almost every aspect: a wider field of view, higher resolution, eye tracking, vastly improved hand tracking, and more powerful compute housed in the rear of the strap to deliver a balanced comfortable design.
Security

Russian Ransomware Hackers Worked With Kremlin Spies, UK Says (bloomberg.com) 63

A Russian criminal gang secretly conducted cyberattacks and espionage operations against NATO allies on the orders of the Kremlin's intelligence services, according to the UK's National Crime Agency. From a report: Evil Corp., which includes a man who gained notoriety for driving a Lamborghini luxury sports car, launched the hacks prior to 2019, the NCA said in statement on Tuesday. The gang has been accused of using malicious software to extort millions of dollars from hundreds of banks and financial institutions in more than 40 countries. In December 2019, the US government sanctioned Evil and accused its alleged leader, Maksim Yakubets, of providing "direct assistance" to the Russian state, including by "acquiring confidential documents." The NCA's statement on Tuesday provides new detail on the work Yakubets and other members allegedly carried out to aid the Kremlin's geopolitical aims. The exact nature of the hacks against the North Atlantic Treaty Organization allies wasn't immediately clear.
AI

California's Governor Just Vetoed Its Controversial AI Bill (techcrunch.com) 35

"California Governor Gavin Newsom has vetoed SB 1047, a high-profile bill that would have regulated the development of AI," reports TechCrunch. The bill "would have made companies that develop AI models liable for implementing safety protocols to prevent 'critical harms'." The rules would only have applied to models that cost at least $100 million and use 10^26 FLOPS (floating point operations, a measure of computation) during training.

SB 1047 was opposed by many in Silicon Valley, including companies like OpenAI, high-profile technologists like Meta's chief AI scientist Yann LeCun, and even Democratic politicians such as U.S. Congressman Ro Khanna. That said, the bill had also been amended based on suggestions by AI company Anthropic and other opponents.

In a statement about today's veto, Newsom said, "While well-intentioned, SB 1047 does not take into account whether an AI system is deployed in high-risk environments, involves critical decision-making or the use of sensitive data. Instead, the.." bill applies stringent standards to even the most basic functions — so long as a large system deploys it. I do not believe this is the best approach to protecting the public from real threats posed by the technology."

"Over the past 30 days, Governor Newsom signed 17 bills covering the deployment and regulation of GenAI technology..." according to a statement from the governor's office, "cracking down on deepfakes, requiring AI watermarking, protecting children and workers, and combating AI-generated misinformation... The Newsom Administration will also immediately engage academia to convene labor stakeholders and the private sector to explore approaches to use GenAI technology in the workplace."

In a separate statement the governor pointed out California " is home to 32 of the world's 50 leading Al companies," and warned that the bill "could give the public a false sense of security about controlling this fast-moving technology. Smaller, specialized models may emerge as equally or even more dangerous than the models targeted by SB 1047 — at the potential expense of curtailing the very innovation that fuels advancement in favor of the public good..."

"While well-intentioned, SB 1047 does not take into account whether an AI system is deployed in high-risk environments, involves critical decision-making or the use of sensitive data. Instead, the bill applies stringent standards to even the most basic functions — so long as a large system deploys it.

"I do not believe this is the best approach to protecting the public from real threats posed by the technology."

Interestingly, the Los Angeles Times reported that the vetoed bill had been supported by Mark Hamill, J.J. Abrams, and "more than 125 Hollywood actors, directors, producers, music artists and entertainment industry leaders" who signed a letter of support. (And that bill also cited the support of "over a hundred current and former employees of OpenAI, Google DeepMind, Anthropic, Meta, and xAI..."
Transportation

Why Boeing is Dismissing a Top Executive (barrons.com) 45

Last weekend Boeing announced that its CEO of Defense, Space, and Security "had left the company," according to Barrons. "Parting ways like this, for upper management, is the equivalent to firing," they write — though they add that setbacks on Starliner's first crewed test flight is "far too simple an explanation." Starliner might, however, have been the straw that broke the camel's back. [New CEO Kelly] Ortberg took over in early August, so his first material interaction with the Boeing Defense and Space business was the spaceship's failed test flight... Starliner has cost Boeing $1.6 billion and counting. That's lot of money, but not all that much in the context of the Defense business, which generates sales of roughly $25 billion a year.... [T]he overall Defense business has performed poorly of late, burdened by fixed price contracts that have become unprofitable amid years of higher than expected inflation. Profitability in the defense business has been declining since 2020 and started losing money in 2022. From 2022 to 2024 losses should total about $6 billion cumulatively, including Wall Street's estimates for the second half of this year.

Still, it felt like something had to give. And the change shows investors something about new CEO Ortberg. "At this critical juncture, our priority is to restore the trust of our customers and meet the high standards they expect of us," read part of an internal email sent to Boeing employees announcing the change. "Why his predecessor — David Calhoun — didn't pull this trigger earlier this year is a mystery," wrote Gordon Haskett analyst Don Bilson in a Monday note. "Can't leave astronauts behind."

"Ortberg's logic appears sound," the article concludes. "In recent years, Boeing has disappointed its airline and defense customers, including NASA...

"After Starliner, defense profitability, and the strike, Ortberg has to tackle production quality, production rates, and Boeing's ailing balance sheet. Boeing has amassed almost $60 billion in debt since the second tragic 737 MAX crash in March 2019."

Thanks to Slashdot reader Press2ToContinue for sharing the news.
Privacy

Meta Fined $102 Million For Storing 600 Million Passwords In Plain Text (appleinsider.com) 28

Meta has been fined $101.5 million by the Irish Data Protection Commission (DPC) for storing over half a billion user passwords in plain text for years, with some engineers having access to this data for over a decade. The issue, discovered in 2019, predominantly affected non-US users, especially those using Facebook Lite. AppleInsider reports: Meta Ireland was found guilty of infringing four parts of GDPR, including how it "failed to notify the DPC of a personal data breach concerning storage of user passwords in plain text." Meta Ireland did report the failure, but only some months after it was discovered. "It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," said Graham Doyle, Deputy Commissioner at the DPC, in a statement about the fine. "It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."

Other than the fine and an official reprimand, the full extent of the DPC's ruling is yet to be released publicly. The details published so far do not reveal whether the passwords included any of US users as well as ones in Ireland or across the rest of the European Union. It's most likely that the issue concerns only non-US users, however. That's because in 2019, Facebook told CNN that the majority of the plain text passwords were for a service called Facebook Lite, which it described as being a cut-down service for areas of the world with slower connectivity.

Security

Flaw In Kia's Web Portal Let Researchers Track, Hack Cars (arstechnica.com) 16

SpzToid shares a report: Today, a group of independent security researchers revealed that they'd found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the Internet-connected features of most modern Kia vehicles -- dozens of models representing millions of cars on the road -- from the smartphone of a car's owner to the hackers' own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any Internet-connected Kia vehicle's license plate and within seconds gain the ability to track that car's location, unlock the car, honk its horn, or start its ignition at will.

After the researchers alerted Kia to the problem in June, Kia appears to have fixed the vulnerability in its web portal, though it told WIRED at the time that it was still investigating the group's findings and hasn't responded to WIRED's emails since then. But Kia's patch is far from the end of the car industry's web-based security problems, the researchers say. The web bug they used to hack Kias is, in fact, the second of its kind that they've reported to the Hyundai-owned company; they found a similar technique for hijacking Kias' digital systems last year. And those bugs are just two among a slew of similar web-based vulnerabilities they've discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.

Government

White House Agonizes Over UN Cybercrime Treaty (politico.com) 43

The United Nations is set to vote on a treaty later this year intended to create norms for fighting cybercrime -- and the Biden administration is fretting over whether to sign on. Politico: The uncertainty over the treaty stems from fears that countries including Russia, Iran and China could use the text as a guise for U.N. approval of their widespread surveillance measures and suppression of the digital rights of their citizens. If the United States chooses not to vote in favor of the treaty, it could become easier for these adversarial nations -- named by the Cybersecurity and Infrastructure Security Agency as the biggest state sponsors of cybercrime -- to take the lead on cyber issues in the future. And if the U.S. walks away from the negotiating table now, it could upset other nations that spent several years trying to nail down the global treaty with competing interests in mind.

While the treaty is not set for a vote during the U.N. General Assembly this week, it's a key topic of debate on the sidelines, following meetings in New York City last week, and committee meetings set for next month once the world's leaders depart. The treaty was troubled from its inception. A cybercrime convention was originally proposed by Russia, and the U.N. voted in late 2019 to start the process to draft it -- overruling objections by the U.S. and other Western nations. Those countries were worried Russia would use the agreement as an alternative to the Budapest Convention -- an existing accord on cybercrime administered by the Council of Europe, which Russia, China and Iran have not joined.

Microsoft

Controversial Windows Recall AI Search Tool Returns (securityweek.com) 68

wiredmikey writes: Three months after pulling previews of the controversial Windows Recall feature due to public backlash, Microsoft says it has completely overhauled the security architecture with proof-of-presence encryption, anti-tampering and DLP checks, and screenshot data managed in secure enclaves outside the main operating system.

In an interview with SecurityWeek, Microsoft vice president David Weston said the company's engineers rewrote the security model of Windows Recall to reduce attack surface on Copilot+ PCs and minimize the risk of malware attackers targeting the screenshot data store.

The Almighty Buck

Promises of 'Passive Income' On Amazon Led To Death Threats For Negative Online Review, FTC Says (cnbc.com) 78

"The Federal Trade Commission is cracking down on 'automation' companies that launch and manage online businesses on behalf of customers in exchange for an upfront investment," reports CNBC's Annie Palmer. "The latest case targets Ascend Ecom, which ran an e-commerce money-making scheme, primarily on Amazon." The FTC accuses the e-commerce company of defrauding consumers of at least $25 million through false claims, deceptive marketing practices, and attempts to suppress negative reviews. From the report: Jamaal Sanford received a disturbing email in May of last year. The message, whose sender claimed to be part of a "Russian shadow team," contained Sanford's home address, social security number and his daughter's college. It came with a very specific threat. The sender said Sanford, who lives in Springfield, Missouri, would only only be safe if he removed a negative online review. "Do not play tough guy," the email said. "You have nothing to gain by keeping the reviews and EVERYTHING to lose by not cooperating."

Months earlier, Sanford had left a scathing review for an e-commerce "automation" company called Ascend Ecom on the rating site Trustpilot. Ascend's purported business was the launching and managing of Amazon storefronts on behalf of clients, who would pay money for the service and the promise of earning thousands of dollars in "passive income." Sanford had invested $35,000 in such a scheme. He never recouped the money and is now in debt, according to a Federal Trade Commission lawsuit unsealed on Friday. His experience is a key piece of the FTC's suit, which accuses Ascend of breaking federal laws by making false claims related to earnings and business performance, and threatening or penalizing customers for posting honest reviews, among other violations. The FTC is seeking monetary relief for Ascend customers and to prevent Ascend from doing business permanently.

Privacy

NIST Proposes Barring Some of the Most Nonsensical Password Rules (arstechnica.com) 180

Ars Technica's Dan Goodin reports: Last week, NIST released its second public draft of SP 800-63-4, the latest version of its Digital Identity Guidelines. At roughly 35,000 words and filled with jargon and bureaucratic terms, the document is nearly impossible to read all the way through and just as hard to understand fully. It sets both the technical requirements and recommended best practices for determining the validity of methods used to authenticate digital identities online. Organizations that interact with the federal government online are required to be in compliance. A section devoted to passwords injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.

Since then, most services require the use of stronger passwords made up of randomly generated characters or phrases. When passwords are chosen properly, the requirement to periodically change them, typically every one to three months, can actually diminish security because the added burden incentivizes weaker passwords that are easier for people to set and remember. Another requirement that often does more harm than good is the required use of certain characters, such as at least one number, one special character, and one upper- and lowercase letter. When passwords are sufficiently long and random, there's no benefit from requiring or restricting the use of certain characters. And again, rules governing composition can actually lead to people choosing weaker passcodes.

The latest NIST guidelines now state that:
- Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords and
- Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. ("Verifiers" is bureaucrat speak for the entity that verifies an account holder's identity by corroborating the holder's authentication credentials. Short for credential service provider, "CSPs" are a trusted entity that assigns or registers authenticators to the account holder.) In previous versions of the guidelines, some of the rules used the words "should not," which means the practice is not recommended as a best practice. "Shall not," by contrast, means the practice must be barred for an organization to be in compliance.
Several other common sense practices mentioned in the document include: 1. Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
2. Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
3. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
4. Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
5. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
6. Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
7. Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
8. Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., "What was the name of your first pet?") or security questions when choosing passwords.
9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it).

Businesses

Dozens of Fortune 100 Companies Have Unwittingly Hired North Korean IT Workers (therecord.media) 29

"Dozens of Fortune 100 organizations" have unknowingly hired North Korean IT workers using fake identities, generating revenue for the North Korean government while potentially compromising tech firms, according to Google's Mandiant unit. "In a report published Monday [...], researchers describe a common scheme orchestrated by the group it tracks as UNC5267, which has been active since 2018," reports The Record. "In most cases, the IT workers 'consist of individuals sent by the North Korean government to live primarily in China and Russia, with smaller numbers in Africa and Southeast Asia.'" From the report: The remote workers "often gain elevated access to modify code and administer network systems," Mandiant found, warning of the downstream effects of allowing malicious actors into a company's inner sanctum. [...] Using stolen identities or fictitious ones, the actors are generally hired as remote contractors. Mandiant has seen the workers hired in a variety of complex roles across several sectors. Some workers are employed at multiple companies, bringing in several salaries each month. The tactic is facilitated by someone based in the U.S. who runs a laptop farm where workers' laptops are sent. Remote technology is installed on the laptops, allowing the North Koreans to log in and conduct their work from China or Russia.

Workers typically asked for their work laptops to be sent to different addresses than those listed on their resumes, raising the suspicions of companies. Mandiant said it found evidence that the laptops at these farms are connected to a "keyboard video mouse" device or multiple remote management tools including LogMeIn, GoToMeeting, Chrome Remote Desktop, AnyDesk, TeamViewer and others. "Feedback from team members and managers who spoke with Mandiant during investigations consistently highlighted behavior patterns, such as reluctance to engage in video communication and below-average work quality exhibited by the DPRK IT worker remotely operating the laptops," Mandiant reported.

In several incident response engagements, Mandiant found the workers used the same resumes that had links to fabricated software engineer profiles hosted on Netlify, a platform often used for quickly creating and deploying websites. Many of the resumes and profiles included poor English and other clues indicating the actor was not based in the U.S. One characteristic repeatedly seen was the use of U.S-based addresses accompanied by education credentials from universities outside of North America, frequently in countries such as Singapore, Japan or Hong Kong. Companies, according to Mandiant, typically don't verify credentials from universities overseas.
Further reading: How Not To Hire a North Korean IT Spy
Security

Kaspersky Defends Stealth Swap of Antivirus Software on US Computers (techcrunch.com) 29

Cybersecurity firm Kaspersky has defended its decision to automatically replace its antivirus software on U.S. customers' computers with UltraAV, a product from American company Pango, without explicit user consent. The forced switch, affecting nearly one million users, occurred as a result of a U.S. government ban on Kaspersky software.

Kaspersky spokesperson Francesco Tius told TechCrunch that the company informed eligible U.S. customers via email about the migration, which began in early September. Windows users experienced an automatic transition to ensure continuous protection, while Mac and mobile users were instructed to manually install UltraAV. Some customers expressed alarm at the unannounced software swap. Kaspersky blamed missed notifications on unregistered email addresses, directing users to in-app messages and an online FAQ. The abrupt change raises concerns about user autonomy and privacy in software updates, particularly as UltraAV lacks an established security track record.
Privacy

Tor Project Merges With Tails (torproject.org) 17

The Tor Project: Today the Tor Project, a global non-profit developing tools for online privacy and anonymity, and Tails, a portable operating system that uses Tor to protect users from digital surveillance, have joined forces and merged operations. Incorporating Tails into the Tor Project's structure allows for easier collaboration, better sustainability, reduced overhead, and expanded training and outreach programs to counter a larger number of digital threats. In short, coming together will strengthen both organizations' ability to protect people worldwide from surveillance and censorship.

Countering the threat of global mass surveillance and censorship to a free Internet, Tor and Tails provide essential tools to help people around the world stay safe online. By joining forces, these two privacy advocates will pool their resources to focus on what matters most: ensuring that activists, journalists, other at-risk and everyday users will have access to improved digital security tools.

In late 2023, Tails approached the Tor Project with the idea of merging operations. Tails had outgrown its existing structure. Rather than expanding Tails's operational capacity on their own and putting more stress on Tails workers, merging with the Tor Project, with its larger and established operational framework, offered a solution. By joining forces, the Tails team can now focus on their core mission of maintaining and improving Tails OS, exploring more and complementary use cases while benefiting from the larger organizational structure of The Tor Project.

This solution is a natural outcome of the Tor Project and Tails' shared history of collaboration and solidarity. 15 years ago, Tails' first release was announced on a Tor mailing list, Tor and Tails developers have been collaborating closely since 2015, and more recently Tails has been a sub-grantee of Tor. For Tails, it felt obvious that if they were to approach a bigger organization with the possibility of merging, it would be the Tor Project.

IT

WordPress.org Denies Service To WP Engine (theregister.com) 70

WordPress has escalated its feud with WP Engine, a hosting provider, by blocking the latter's servers from accessing WordPress.org resources -- and therefore from potentially vital software updates. From a report: WordPress is an open source CMS which is extensible using plugins. Its home is WordPress.org, which also hosts resources such as themes and plugins for the CMS. A vast ecosystem of plugins exists from numerous suppliers, but WordPress.org is the main source. Many WordPress users rely on several plugins. Preventing WP Engine users from accessing plugin updates is therefore serious, as it could mean users can't update plugins that have security issues, or other fixes.

WordPress co-founder and CEO Matt Mullenweg recently called WP Engine a "cancer" and accused it of profiting from WordPress without contributing to development of the CMS. Mullenweg has sought to have WP Engine pay trademark license fees -- a move he feels would represent a financial contribution commensurate with the benefits it derives from the project. WP Engine doesn't want or intend to pay. Mullenweg argued that if WP Engine won't pay, it should not be able to benefit from resources at WordPress.org.

Slashdot Top Deals