An anonymous reader quotes a report from TechCrunch: Kentucky-based nonprofit healthcare system Norton Healthcare has confirmed that hackers accessed the personal data of millions of patients and employees during an earlier ransomware attack. Norton operates more than 40 clinics and hospitals in and around Louisville, Kentucky, and is the city's third-largest private employer. The organization has more than 20,000 employees, and more than 3,000 total providers on its medical staff, according to its website. In a filing with Maine's attorney general on Friday, Norton said that the sensitive data of approximately 2.5 million patients, as well as employees and their dependents, was accessed during its May ransomware attack.

In a letter sent to those affected, the nonprofit said that hackers had access to "certain network storage devices between May 7 and May 9," but did not access Norton Healthcare's medical record system or Norton MyChart, its electronic medical record system. But Norton admitted that following a "time-consuming" internal investigation, which the organization completed in November, Norton found that hackers accessed a "wide range of sensitive information," including names, dates of birth, Social Security numbers, health and insurance information and medical identification numbers. Norton Healthcare says that, for some individuals, the exposed data may have also included financial account numbers, driver licenses or other government ID numbers, as well as digital signatures. It's not known if any of the accessed data was encrypted.

Norton says it notified law enforcement about the attack and confirmed it did not pay any ransom payment. The organization did not name the hackers responsible for the cyberattack, but the incident was claimed by the notorious ALPHV/BlackCat ransomware gang in May, according to data breach news site DataBreaches.net, which reported that the group claimed it exfiltrated almost five terabytes of data. TechCrunch could not confirm this, as the ALPHV website was inaccessible at the time of writing.

The faceoff between Apple and Beeper has entered another round. Days after Apple managed to block Beeper Mini from seamlessly sending and receiving iMessages on Android, Beeper says the app is up and running again -- sort of. From a report: See, Beeper Mini works a little differently this time: you must now sign in with an Apple ID, whereas previously it would automatically register you to iMessage via your phone number. Beeper says it's working on a fix to restore phone number registration with iMessage, but until then, your friends won't be able to send iMessages directly to your phone number. Instead, the blue bubbles will have to come to and from your email address. That's not nearly as convenient, but at the end of the day, it's still iMessage.

Another change is that for now, owing to what could escalate into a cat-and-mouse game with Apple, Beeper Mini will be free to use. "Things have been a bit chaotic, and we're not comfortable subjecting paying users to this," the company wrote in a blog post today about the update. The app originally required a $2-per-month subscription. Apple's statement on Friday made clear that it won't hesitate to shut down further attempts to dupe its servers into believing Android phones are genuine Apple devices.

The White House is racing to overcome internal differences and hash out a new policy over how the US and other governments should view the rapid rise of global data flows that are fueling everything from AI to advanced manufacturing. From a report: In a series of sessions due to begin on Wednesday, President Joe Biden's national security and economic teams are due to meet with companies, labor and human rights advocates, and other experts on the digital economy as part of a review launched last month, according to people directly involved. At issue is laying out a clear US position on the rules for the global internet as governments confront an accelerating amount of data flowing across borders with mounting economic, privacy, income inequality and national security consequences.

Coming just days after the EU agreed late Friday to new regulations for AI, the Biden administration's push highlights how governments are racing to figure out their role in a fast-evolving digital economy and competing to lead the conversation. [...] In an interview, a senior administration official said the US was not backing away from long-standing US advocacy for a free and open internet even as some governments around the world are increasingly trying to restrict information flows.

Four Republican candidates for U.S. president debated Wednesday — and moderator Megyn Kelly had a tough question for former South Carolina governor Nikki Haley. "Can you please speak to the requirement that you said that every anonymous internet user needs to out themselves?" Nikki Haley: What I said was, that social media companies need to show us their algorithms. I also said there are millions of bots on social media right now. They're foreign, they're Chinese, they're Iranian. I will always fight for freedom of speech for Americans; we do not need freedom of speech for Russians and Iranians and Hamas. We need social media companies to go and fight back on all of these bots that are happening. That's what I said.

As a mom, do I think social media would be more civil if we went and had people's names next to that? Yes, I do think that, because I think we've got too much cyberbullying, I think we've got child pornography and all of those things. But having said that, I never said government should go and require anyone's name.

DeSantis: That's false.

Haley: What I said —

DeSantis:You said I want your name. As president of the United States, her first day in office, she said one of the first things I'm going to do --

Haley: I said we were going to get the millions of bots.

DeSantis: "All social medias? I want your name." A government i.d. to dox every American. That's what she said. You can roll the tape. She said I want your name — and that was going to be one of the first things she did in office. And then she got real serious blowback — and understandably so, because it would be a massive expansion of government. We have anonymous speech. The Federalist Papers were written with anonymous writers — Jay, Madison, and Hamilton, they went under "Publius". It's something that's important — and especially given how conservatives have been attacked and they've lost jobs and they've been cancelled. You know the regime would use that to weaponize that against our own people. It was a bad idea, and she should own up to it.

Haley: This cracks me up, because Ron is so hypocritical, because he actually went and tried to push a law that would stop anonymous people from talking to the press, and went so far to say bloggers should have to register with the state --

DeSantis:That's not true.

Haley: — if they're going to write about elected officials. It was in the — check your newpaper. It was absolutely there.
DeSantis quickly attributed the introduction of that legislation to "some legislator".

The press had already extensively written about Haley's position on anonymity on social media. Three weeks ago Business Insider covered a Fox News interview, and quoted Nikki Haley as saying: "When I get into office, the first thing we have to do, social media companies, they have to show America their algorithms. Let us see why they're pushing what they're pushing. The second thing is every person on social media should be verified by their name." Haley said this was why her proposals would be necessary to counter the "national security threat" posed by anonymous social media accounts and social media bots. "When you do that, all of a sudden people have to stand by what they say, and it gets rid of the Russian bots, the Iranian bots, and the Chinese bots," Haley said. "And then you're gonna get some civility when people know their name is next to what they say, and they know their pastor and their family member's gonna see it. It's gonna help our kids and it's gonna help our country," she continued... A representative for the Haley campaign told Business Insider that Haley's proposals were "common sense."

"We all know that America's enemies use anonymous bots to spread anti-American lies and sow chaos and division within our borders. Nikki believes social media companies need to do a better job of verifying users so we can crack down on Chinese, Iranian, and Russian bots," the representative said.
The next day CNBC reported that Haley "appeared to add a caveat... suggesting Wednesday that Americans should still be allowed to post anonymously online." A spokesperson for Haley's campaign added, "Social media companies need to do a better job of verifying users as human in order to crack down on anonymous foreign bots. We can do this while protecting America's right to free speech and Americans who post anonymously."

Privacy issues had also come up just five minutes earlier in the debate. In March America's Treasury Secretary had recommended the country "advance policy and technical work on a potential central bank digital currency, or CBDC, so the U.S. is prepared if CBDC is determined to be in the national interest."

But Florida governor Ron DeSantis spoke out forecefully against the possibility. "They want to get rid of cash, crypto, they want to force you to do that. They'll take away your privacy. They will absolutely regulate your purchases. On Day One as president, we take the idea of Central Bank Digital Currency, and we throw it in the trash can. It'll be dead on arrival." [The audience applauded.]

A 16-year-old high school student reverse engineered Apple's messaging protocol, leading to the launch of an interoperable Android app called "Beeper Mini".

But on Friday the Verge reported that "less than a week after its launch, the app started experiencing technical issues when users were suddenly unable to send and receive blue bubble messages." Reached for comment, Beeper CEO Eric Migicovsky did not deny that Apple has successfully blocked Beeper Mini. "If it's Apple, then I think the biggest question is... if Apple truly cares about the privacy and security of their own iPhone users, why would they stop a service that enables their own users to now send encrypted messages to Android users, rather than using unsecure SMS...? Beeper Mini is here today and works great. Why force iPhone users back to sending unencrypted SMS when they chat with friends on Android?"
Apple says they're unable to verify that end-to-end encryption is maintained when messages are sent through unauthorized channels, according to a statement quoted by TechCrunch: "At Apple, we build our products and services with industry-leading privacy and security technologies designed to give users control of their data and keep personal information safe. We took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage. These techniques posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks. We will continue to make updates in the future to protect our users."
Beeper responded on X: We stand behind what we've built. Beeper Mini is keeps your messages private, and boosts security compared to unencrypted SMS. For anyone who claims otherwise, we'd be happy to give our entire source code to mutually agreed upon third party to evaluate the security of our app.
Ars Technica adds: On Saturday, Migicovsky notified Beeper Cloud (desktop) users that iMessage was working again for them, after a long night of fixes. "Work continues on Beeper Mini," Migicovsky wrote shortly after noon Eastern time.
Engadget notes: The Beeper Mini team has apparently been working around the clock to resolve the outage affecting the new "iMessage on Android" app, and says a fix is "very close." And once the fix rolls out, users' seven-day free trials will be reset so they can start over fresh.
Meanwhile, at around 9 p.m. EST, Beeper CEO Eric Migicovsky posted on X that "For 3 blissful days this week, iPhone and Android users enjoyed high quality encrypted chats. We're working hard to return to that state."

Long-time Slashdot reader jd writes: The Register is reporting that Akamai security researchers have found a way to hack Active Directory and obtain the information stored within it. The researchers go on to say that Microsoft is NOT planning to fix the vulnerability.
From the article: While the current report doesn't provide technical details or proof-of-concept exploits, Akamai has promised, in the near future, to publish code that implements these attacks called DDSpoof — short for DHCP DNS Spoof.

'We will show how unauthenticated attackers can collect necessary data from DHCP servers, identify vulnerable DNS records, overwrite them, and use that ability to compromise AD domains,' Akamai security researcher Ori David said.

The DHCP attack research builds on earlier work by NETSPI's Kevin Roberton, who detailed ways to exploit flaws in DNS zones.

Linux magazine interviewed an AlmaLinux official about what happened after their distro pivoted to binary compatibility with Red Hat Enterprise Linux rather than being a downstream build: Linux Magazine: What prompted AlmaLinux to choose ABI over 1:1 compatibility with RHEL?

benny Vasquez, chair of the AlmaLinux OS Foundation: The short answer is our users. Overwhelmingly, our users made it clear that they chose AlmaLinux for its ease of use, the security and stability that it provides, and the backing of a diverse group of sponsors. All of that together meant that we didn't need to lock ourselves into copying RHEL, and we could continue to provide what our users needed.

Moreover, we needed to consider what our sponsors would be able to help us provide, and how we could best serve the downstream projects that now rely on AlmaLinux. The rippling effects of any decision that we make are beyond measure at this point, so we consider all aspects of our impact and then move forward with confidence and intention.

LM: How did AlmaLinux's mission of improving the Linux ecosystem for everyone influence this decision?

bV: We strongly believe that the soul of open source means working together, providing value where there is a gap, and helping each other solve problems. If we participate in an emotional reaction to a business's change, we will then be distracted and potentially hurt users and the Enterprise Linux ecosystem overall. By remaining focused on what is best (though not easiest), and adapting to the ecosystem as it is today, we will provide a better and more stable operating system.

LM: What opportunities does the ABI route offer over 1:1 compatibility?

bV: By liberating ourselves from the 1:1 promise, we have been able to do a few small things that have proven to be a good testing ground for what will come in the future. Specifically, we shipped a couple of smallish, but extremely important, security patches ahead of Red Hat, offering quicker security to the users of AlmaLinux... This also opens the door for other features and improvements that we could add back in or change, as our users need. We have already seen greater community involvement, especially around these ideas.

LM: Does the ABI route pose any extra challenges?

bV: The obvious one is that building from CentOS Stream sources takes more effort, but I think the more important challenge (and the one that will only be solved with consistency over time) is the one of proving that we will be able to deliver on the promise... We will continue on our goal of becoming the home for all users that need Enterprise Linux for free, but in the next year I expect that we will see an expansion in the number of kernels we support and see some new and exciting SIGs spun up around other features or use cases, as the community continues to standardize on how to achieve their goals collectively.
Linux magazine notes that in August AlmaLinux added two new repositories, Testing and Synergy. "Testing, currently available for AlmaLinux 8 and 9, offers security updates before they are approved and implemented upstream. Synergy contains packages requested by community members that currently aren't available in RHEL or Extra Packages for Enterprise Linux (EPEL, a set of extra software packages maintained by the Fedora SIG that are not available in RHEL or CentOS Stream)."

The article also points out that "On the upside, AlmaLinux can now include comments in their patches for greater transparency. Users will see where the patch comes from, which was not an option before."

Vasquez tells the magazine, "I think folks will be seriously happy about what they find as we release the new versions, namely, the consistency, stability, and security that they've come to expect from us."

Data breaches and ransomware attacks are getting worse. Some 2.6 billion personal records have been exposed in data breaches over the past two years and that number continues to grow, according to a new report commissioned by Apple. From a report: Apple says the escalating intrusions, combined with increases in ransomware means the tech industry needs to move toward greater use of encryption. According to the report, prepared by MIT professor emeritus Stuart E. Madnick:

1. Data breaches in the US through the first nine months of the year are already 20% higher than for all of 2022.
2. Nearly 70 percent more ransomware attacks were reported through September 2023, than in the first three quarters of 2022.
3. Americans and those in the UK topped the list of those most targeted in ransomware attacks in 2023, followed by Canada and Australia. Those four countries accounted for nearly 70% of reported ransomware attacks.
4. One in four people in the US had their health data exposed in a data breach during the first nine months of 2023.

The iFixit team pulled apart the newest Fairphone 5 smartphone and awarded its highest score for repairability: 10 out of 10. With the exception of one or two compromises, the Fairphone 5 is just as repairable as its predecessors. The Register reports: As before, opening the phone is a simple matter of popping off the back of the case. The beefier battery -- 4200 mAh instead of the previous 3905 mAh -- remains easy to remove, although the bigger size has implications elsewhere in the device. Replacing the USB-C port remains simple thanks to a metal lip that allows it to be removed easily. Individual cameras can also be replaced, a nice upgrade from the all-in-one unit of the preceding phone.

However, rather than something along the lines of the Core Module of the previous phone, the iFixit team found a motherboard and daughterboard more akin to other Android handsets. According to Fairphone, the bigger battery made the change necessary, but it's still a little disappointing. Still, the teardown team noted clear labeling to stop cables from being accidentally plugged into the wrong places. It said: "That's what intuitive repair design is all about: it should be easy to do the right thing and complicated to do the wrong thing." According to iFixit co-founder and CEO Kyle Wiens: "Fairphone's promise of five Android version upgrades and over eight years of security updates with the Fairphone 5 is a bold statement in an industry that leans towards fleeting product life cycles. This is a significant stride towards sustainability and sets a new benchmark for smartphone lifespan."

"At iFixit, we believe in tech that lasts, and Fairphone is making that belief a reality. Fairphone's effort to attain a 10-year lifespan is not just impressive; it's unparalleled."

An anonymous reader quotes a report from Ars Technica: Meta has started enabling end-to-end encryption (E2EE) by default for chats and calls on Messenger and Facebook despite protests from the FBI and other law enforcement agencies that oppose the widespread use of encryption technology. "Today I'm delighted to announce that we are rolling out default end-to-end encryption for personal messages and calls on Messenger and Facebook," Meta VP of Messenger Loredana Crisan wrote yesterday. In April, a consortium of 15 law enforcement agencies from around the world, including the FBI and ICE Homeland Security Investigations, urged Meta to cancel its plan to expand the use of end-to-end encryption. The consortium complained that terrorists, sex traffickers, child abusers, and other criminals will use encrypted messages to evade law enforcement.

Meta held firm, telling Ars in April that "we don't think people want us reading their private messages" and that the plan to make end-to-end encryption the default in Facebook Messenger would be completed before the end of 2023. Meta also plans default end-to-end encryption for Instagram messages but has previously said that may not happen this year. Meta said it is using "the Signal Protocol, and our own novel Labyrinth Protocol," and the company published two technical papers that describe its implementation (PDF). "Since 2016, Messenger has had the option for people to turn on end-to-end encryption, but we're now changing personal chats and calls across Messenger to be end-to-end encrypted by default. This has taken years to deliver because we've taken our time to get this right," Crisan wrote yesterday. Meta said it will take months to implement across its entire user base. A post written by two Meta software engineers said the company "designed a server-based solution where encrypted messages can be stored on Meta's servers while only being readable using encryption keys under the user's control."

"Product features in an E2EE setting typically need to be designed to function in a device-to-device manner, without ever relying on a third party having access to message content," they wrote. "This was a significant effort for Messenger, as much of its functionality has historically relied on server-side processing, with certain features difficult or impossible to exactly match with message content being limited to the devices."

The company says it had "to redesign the entire system so that it would work without Meta's servers seeing the message content."

Internet propagandists aligned with Russia have duped at least seven Western celebrities, including Elijah Wood and Priscilla Presley, into recording short videos to support its online information war against Ukraine, according to new security research by Microsoft. From a report: The celebrities look like they were asked to offer words of encouragement -- apparently via the Cameo app -- to someone named "Vladimir" who appears to be struggling with substance abuse, Microsoft said. Instead, these messages were edited, sometimes dressed up with emojis, links and the logos of media outlets and then shared online by the Russia-aligned trolls, the company said.

The point was to give the appearance that the celebrities were confirming that Ukrainian President Volodymyr Zelensky was suffering from drug and alcohol problems, false claims that Russia has pushed in the past, according to Microsoft. Russia has denied engaging in disinformation campaigns. In one of the videos, a crudely edited message by Wood to someone named Vladimir references drugs and alcohol, saying: "I just want to make sure that you're getting help." Wood's video first surfaced in July, but since then Microsoft researchers have observed six other similar celebrity videos misused in the same way, including clips by "Breaking Bad" actor Dean Norris, John C. McGinley of "Scrubs," and Kate Flannery of "The Office," the company said.

The UK accused Russia's main intelligence agency of seeking to hack the emails of British politicians and officials in an attempt to interfere in its democratic processes. From a report: "They have been targeting high-profile individuals and entities with a clear intent: using information they obtained to meddle in British politics," Foreign Office minister Leo Docherty told the House of Commons on Thursday. The intrusions include targeting personal email accounts and impersonation attempts against universities and media organizations, according to Docherty. Civil servants and journalists have also been targeted by Russia's Federal Security Service, known as the FSB, he said.

In November, the UK's National Cyber Security Centre warned that Russian and other state-sponsored hackers posed an "enduring and significant threat" to the country. The agency said that Russia was one of the most prolific state actors in cybercrime, and had dedicated substantial resources to conducting hacking operations internationally.

A new book argues that the invention of states and corporations has something to teach us about A.I. But perhaps it's the other way around. From a report: One of the things that make the machine of the capitalist state work is that some of its powers have been devolved upon other artificial agents -- corporations. Where [David] Runciman (a professor of politics at Cambridge) compares the state to a general A.I., one that exists to serve a variety of functions, corporations have been granted a limited range of autonomy in the form of what might be compared to a narrow A.I., one that exists to fulfill particular purposes that remain beyond the remit or the interests of the sovereign body.

Corporations can thus be set up in free pursuit of a variety of idiosyncratic human enterprises, but they, too, are robotic insofar as they transcend the constraints and the priorities of their human members. The failure mode of governments is to become "exploitative and corrupt," Runciman notes. The failure mode of corporations, as extensions of an independent civil society, is that "their independence undoes social stability by allowing those making the money to make their own rules."

There is only a "narrow corridor" -- a term Runciman borrows from the economists Daron Acemoglu and James A. Robinson -- in which the artificial agents balance each other out, and citizens get to enjoy the sense of control that emerges from an atmosphere of freedom and security. The ideal scenario is, in other words, a kludgy equilibrium.

An anonymous reader quotes a report from TechCrunch: A number of popular mobile password managers are inadvertently spilling user credentials due to a vulnerability in the autofill functionality of Android apps. The vulnerability, dubbed "AutoSpill," can expose users' saved credentials from mobile password managers by circumventing Android's secure autofill mechanism, according to university researchers at the IIIT Hyderabad, who discovered the vulnerability and presented their research at Black Hat Europe this week. The researchers, Ankit Gangwal, Shubham Singh and Abhijeet Srivastava, found that when an Android app loads a login page in WebView, password managers can get "disoriented" about where they should target the user's login information and instead expose their credentials to the underlying app's native fields, they said. This is because WebView, the preinstalled engine from Google, lets developers display web content in-app without launching a web browser, and an autofill request is generated.

"Let's say you are trying to log into your favorite music app on your mobile device, and you use the option of 'login via Google or Facebook.' The music app will open a Google or Facebook login page inside itself via the WebView," Gangwal explained to TechCrunch prior to their Black Hat presentation on Wednesday. "When the password manager is invoked to autofill the credentials, ideally, it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app." Gangwal notes that the ramifications of this vulnerability, particularly in a scenario where the base app is malicious, are significant. He added: "Even without phishing, any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information."

The researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper and Enpass, on new and up-to-date Android devices. They found that most apps were vulnerable to credential leakage, even with JavaScript injection disabled. When JavaScript injection was enabled, all the password managers were susceptible to their AutoSpill vulnerability. Gangwal says he alerted Google and the affected password managers to the flaw. Gangwal tells TechCrunch that the researchers are now exploring the possibility of an attacker potentially extracting credentials from the app to WebView. The team is also investigating whether the vulnerability can be replicated on iOS.

CNN reports on a new German-based project called WindCORES that operates data centers inside existing wind turbines, making them almost completely carbon neutral. "If you look at the sustainability pyramid, the highest form of sustainability is using things that already exist," said Fiete Dubberke, managing director of windCORES, which was founded in 2018. From the report: The concept uses existing wind turbines to power data centers on site, while fiber optic cables provide a constant internet connection. Planning for a project like this began 10 years ago, Dubberke said, when WestfalenWIND realized the electricity grid was too weak to handle the huge capacities of electricity being produced by its wind turbines during peak wind hours, resulting in their windfarms being switched off due to grid security issues. WindCORES estimates that the unused electricity generated during this period could power one-third of all German data centers.

Its solution was to bypass the "middleman" (the grid) altogether, and instead, power IT servers from directly inside the large concrete wind turbine towers. Each tower is 13 meters wide and could potentially hold server racks up to 150 meters high. As the area is mostly empty space, Dubberke calls the concept a "no-brainer." According to Dubberke, an average of 85-92% of the power needed to sustain a windCORES data center comes directly from the host turbine. When there is no wind, electricity is obtained from other renewable sources, including solar farms and hydroelectric power plants, via the electricity grid. "The German data center average is 430 grams of CO2 released per kilowatt hour," he said. "For windCORES, it is calculated at just 10 grams per kilowatt hour."

Since launching, windCORES has acquired around 150 clients through co-location and cloud solutions, from very small start-up companies to bigger, more established ones, such as Zattoo, a leading carbon-neutral Swiss TV streaming platform with several million monthly users. Zattoo joined windCORES in 2020, when it moved one of its six data centers into a wind turbine in Paderborn. Currently, 218 channels are encoded with windCORES, and by the end of next year, the company hopes to relocate more existing servers to the wind farm, making it Zattoo's main data center location. [...] WindCORES has recently opened a larger, second location called "windCORES II" at the Huser Klee windfarm in Lichtenau, Germany. Built for a new large automotive client from Munich (the name is yet to be revealed), it is over three levels and around 20 meters high.

"Researchers have identified a large number of bugs to do with the processing of images at boot time," writes longtime Slashdot reader jd. "This allows malicious code to be installed undetectably (since the image doesn't have to pass any validation checks) by appending it to the image. None of the current secure boot mechanisms are capable of blocking the attack." Ars Technica reports: LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have lurked for years, if not decades, in Unified Extensible Firmware Interfaces responsible for booting modern devices that run Windows or Linux. The vulnerabilities are the product of almost a year's worth of work by Binarly, a firm that helps customers identify and secure vulnerable firmware. The vulnerabilities are the subject of a coordinated mass disclosure released Wednesday. The participating companies comprise nearly the entirety of the x64 and ARM CPU ecosystem, starting with UEFI suppliers AMI, Insyde, and Phoenix (sometimes still called IBVs or independent BIOS vendors); device manufacturers such as Lenovo, Dell, and HP; and the makers of the CPUs that go inside the devices, usually Intel, AMD or designers of ARM CPUs. The researchers unveiled the attack on Wednesday at the Black Hat Security Conference in London.

As its name suggests, LogoFAIL involves logos, specifically those of the hardware seller that are displayed on the device screen early in the boot process, while the UEFI is still running. Image parsers in UEFIs from all three major IBVs are riddled with roughly a dozen critical vulnerabilities that have gone unnoticed until now. By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process, which is known as DXE, short for Driver Execution Environment. "Once arbitrary code execution is achieved during the DXE phase, it's game over for platform security," researchers from Binarly, the security firm that discovered the vulnerabilities, wrote in a whitepaper. "From this stage, we have full control over the memory and the disk of the target device, thus including the operating system that will be started." From there, LogoFAIL can deliver a second-stage payload that drops an executable onto the hard drive before the main OS has even started. The following video demonstrates a proof-of-concept exploit created by the researchers. The infected device -- a Gen 2 Lenovo ThinkCentre M70s running an 11th-Gen Intel Core with a UEFI released in June -- runs standard firmware defenses, including Secure Boot and Intel Boot Guard. LogoFAIL vulnerabilities are tracked under the following designations: CVE-2023-5058, CVE-2023-39538, CVE-2023-39539, and CVE-2023-40238. However, this list is currently incomplete.

"A non-exhaustive list of companies releasing advisories includes AMI (PDF), Insyde, Phoenix, and Lenovo," reports Ars. "People who want to know if a specific device is vulnerable should check with the manufacturer."

"The best way to prevent LogoFAIL attacks is to install the UEFI security updates that are being released as part of Wednesday's coordinated disclosure process. Those patches will be distributed by the manufacturer of the device or the motherboard running inside the device. It's also a good idea, when possible, to configure UEFIs to use multiple layers of defenses. Besides Secure Boot, this includes both Intel Boot Guard and, when available, Intel BIOS Guard. There are similar additional defenses available for devices running AMD or ARM CPUs."

An anonymous reader quotes a report from Ars Technica: In an editorial for Slate published Monday, renowned security researcher Bruce Schneier warned that AI models may enable a new era of mass spying, allowing companies and governments to automate the process of analyzing and summarizing large volumes of conversation data, fundamentally lowering barriers to spying activities that currently require human labor. In the piece, Schneier notes that the existing landscape of electronic surveillance has already transformed the modern era, becoming the business model of the Internet, where our digital footprints are constantly tracked and analyzed for commercial reasons.

Spying, by contrast, can take that kind of economically inspired monitoring to a completely new level: "Spying and surveillance are different but related things," Schneier writes. "If I hired a private detective to spy on you, that detective could hide a bug in your home or car, tap your phone, and listen to what you said. At the end, I would get a report of all the conversations you had and the contents of those conversations. If I hired that same private detective to put you under surveillance, I would get a different report: where you went, whom you talked to, what you purchased, what you did." Schneier says that current spying methods, like phone tapping or physical surveillance, are labor-intensive, but the advent of AI significantly reduces this constraint. Generative AI systems are increasingly adept at summarizing lengthy conversations and sifting through massive datasets to organize and extract relevant information. This capability, he argues, will not only make spying more accessible but also more comprehensive. "This spying is not limited to conversations on our phones or computers," Schneier writes. "Just as cameras everywhere fueled mass surveillance, microphones everywhere will fuel mass spying. Siri and Alexa and 'Hey, Google' are already always listening; the conversations just aren't being saved yet." [...]

In his editorial, Schneier raises concerns about the chilling effect that mass spying could have on society, cautioning that the knowledge of being under constant surveillance may lead individuals to alter their behavior, engage in self-censorship, and conform to perceived norms, ultimately stifling free expression and personal privacy. So what can people do about it? Anyone seeking protection from this type of mass spying will likely need to look toward government regulation to keep it in check since commercial pressures often trump technological safety and ethics. [...] Schneier isn't optimistic on that front, however, closing with the line, "We could prohibit mass spying. We could pass strong data-privacy rules. But we haven't done anything to limit mass surveillance. Why would spying be any different?" It's a thought-provoking piece, and you can read the entire thing on Slate.

An anonymous reader quotes a report from Ars Technica: Windows 10's end-of-support date is October 14, 2025. That's the day that most Windows 10 PCs will receive their last security update and the date when most people should find a way to move to Windows 11 to ensure that they stay secure. As it has done for other stubbornly popular versions of Windows, though, Microsoft is offering a reprieve for those who want or need to stay on Windows 10: three additional years of security updates, provided to those who can pay for the Extended Security Updates (ESU) program.

The initial announcement, written by Windows Servicing and Delivery Principal Product Manager Jason Leznek, spends most of its time encouraging users and businesses to upgrade to Windows 11 rather than staying on 10, either by updating their current computers, upgrading to new PCs or transitioning to a Windows 365 cloud-based PC instead. But when Leznek does get to the announcement of the ESU program, the details are broadly similar to the program Microsoft offered for Windows 7 a few years ago: three additional years of monthly security updates and technical support, paid for one year at a time. The company told us that "pricing will be provided at a later date," but for the Windows 7 version of the ESU program, Microsoft upped the cost of the program each year to encourage people to upgrade to a newer Windows version before they absolutely had to; the cost was also per-seat, so what you paid was proportional to the number of PCs you needed updates for.

One difference this time is that Microsoft told us it would be offering Windows 10 ESU updates to individuals, though the company didn't offer particulars. More details should be available on Windows 10's lifecycle support page soon. Leznek reiterated that Windows 10 22H2 would be the final version of Windows 10 and that the operating system would not receive any additional features during the ESU period.

An anonymous reader shares a report: Beeper has been offering a unified messaging platform for a few years, allowing users to open a single app to communicate with contacts via SMS, Google Chat, Facebook Messenger, Slack, Discord, WhatsApp, and perhaps most significantly, iMessage. Up until this week though, Android users that wanted to use Beeper to send "blue bubble" messages to iMessage users had their messages routed through a Mac or iOS device. Now Beeper has launched a new app called Beeper Mini that handles everything on-device, no iPhone or Mac bridge required.

Beeper Mini is available now from the Google Play Store, and offers a 7-day free trial. After that, it costs $2 per month to keep using. [...] previously the company had to rely on a Mac-in-the-cloud? The company explains the method it's using in a blog post, but in a nutshell, Beeper says a security researcher has reverse engineered "the iMessage protocol and encryption," so that "all messages are sent and received by Beeper Mini Android app directly to Apple's servers" and "the encryption keys needed to encrypt these messages never leave your phone." That security researcher, by the way, is a high school student that goes by jjtech, who was hired by Beeper after showing the company his code. A proof-of-concept Python script is also available on Github if you'd like to run it to send messages to iMessage from a PC.

Meta and IBM are joining more than 40 companies and organizations to create an industry group dedicated to open source artificial intelligence work, aiming to share technology and reduce risks. From a report: The coalition, called the AI Alliance, will focus on the responsible development of AI technology, including safety and security tools, according to a statement Tuesday. The group also will look to increase the number of open source AI models -- rather than the proprietary systems favored by some companies -- develop new hardware and team up with academic researchers.

Proponents of open source AI technology, which is made public by developers for others to use, see the approach as a more efficient way to cultivate the highly complex systems. Over the past few months, Meta has been releasing open source versions of its large language models, which are the foundation of AI chatbots.