Security

Hackers Leak Documents From Pentagon IT Services Provider Leidos (reuters.com) 16

According to Bloomberg, hackers have leaked internal documents stolen from Leidos Holdings, one of the largest IT services providers of the U.S. government. Reuters reports: The company recently became aware of the issue and believes the documents were taken during a previously reported breach of a Diligent Corp. system it used, the report said, adding that Leidos is investigating it. The Virginia-based company, which counts the U.S. Department of Defense as its primary customer, used the Diligent system to host information gathered in internal investigations, the report added, citing a filing from June 2023. A spokesperson for Diligent said the issue seems to be related to an incident from 2022, affecting its subsidiary Steele Compliance Solutions. The company notified impacted customers and had taken corrective action to contain the incident in November 2022.
Government

House Committee Calls On CrowdStrike CEO To Testify On Global Outage (theverge.com) 76

According to the Washington Post (paywalled), the House Homeland Security Committee has called on the CrowdStrike CEO to testify over the major outage that brought flights, hospital procedures, and broadcasters to a halt on Friday. The outage was caused by a defective software update from the company that primarily affected computers runnings Windows, resulting in system crashes and "blue screen of death" errors. From the report: Republican leaders of the House Homeland Security Committee demanded that CrowdStrike CEO George Kurtz commit by Wednesday to appearing on Capitol Hill to explain how the outages occurred and what "mitigation steps" the company is taking to prevent future episodes. [...] Reps. Mark Green (R-Tenn.) and Andrew R. Garbarino (R-N.Y.), chairs of the Homeland Security Committee and its cybersecurity subcommittee, respectively, wrote in their letter that the outages "must serve as a broader warning about the national security risks associated with network dependency. Protecting our critical infrastructure requires us to learn from this incident and ensure that it does not happen again," the lawmakers wrote. CrowdStrike spokesperson Kirsten Speas said in an emailed statement Monday that the company is "actively in contact" with the relevant congressional committees and that "engagement timelines may be disclosed at Members' discretion," but declined to say whether Kurtz will testify.

The committee is one of several looking into the incident, with members of the House Oversight Committee and House Energy and Commerce Committee separately requesting briefings from CrowdStrike. But the effort by Homeland Security Committee leaders marks the first time the company is being publicly summoned to testify about its role in the disruptions. CrowdStrike has risen to prominence as a major security provider partly by identifying malicious online campaigns by foreign actors, but the outages have heightened concern in Washington that international adversaries could look to exploit future incidents. "Malicious cyber actors backed by nation-states, such as China and Russia, are watching our response to this incident closely," Green and Garbarino wrote. The outages, which disrupted agencies at the federal and state level, are also raising questions about how much businesses and government officials alike have come to rely on Microsoft products for their daily operations.

Open Source

Switzerland Now Requires All Government Software To Be Open Source (zdnet.com) 60

Switzerland has enacted the "Federal Law on the Use of Electronic Means for the Fulfillment of Government Tasks" (EMBAG), mandating open-source software (OSS) in the public sector to enhance transparency, security, and efficiency. "This new law requires all public bodies to disclose the source code of software developed by or for them unless third-party rights or security concerns prevent it," writes ZDNet's Steven Vaughan-Nichols. "This 'public money, public code' approach aims to enhance government operations' transparency, security, and efficiency." From the report: Making this move wasn't easy. It began in 2011 when the Swiss Federal Supreme Court published its court application, Open Justitia, under an OSS license. The proprietary legal software company Weblaw wasn't happy about this. There were heated political and legal fights for more than a decade. Finally, the EMBAG was passed in 2023. Now, the law not only allows the release of OSS by the Swiss government or its contractors, but also requires the code to be released under an open-source license "unless the rights of third parties or security-related reasons would exclude or restrict this."

Professor Dr. Matthias Sturmer, head of the Institute for Public Sector Transformation at the Bern University of Applied Sciences, led the fight for this law. He hailed it as "a great opportunity for government, the IT industry, and society." Sturmer believes everyone will benefit from this regulation, as it reduces vendor lock-in for the public sector, allows companies to expand their digital business solutions, and potentially leads to reduced IT costs and improved services for taxpayers.

In addition to mandating OSS, the EMBAG also requires the release of non-personal and non-security-sensitive government data as Open Government Data (OGD). This dual "open by default" approach marks a significant paradigm shift towards greater openness and practical reuse of software and data. Implementing the EMBAG is expected to serve as a model for other countries considering similar measures. It aims to promote digital sovereignty and encourage innovation and collaboration within the public sector. The Swiss Federal Statistical Office (BFS) is leading the law's implementation, but the organizational and financial aspects of the OSS releases still need to be clarified.

China

China Is Getting Secretive About Its Supercomputers 28

For decades, American and Chinese scientists collaborated on supercomputers. But Chinese scientists have become more secretive as the U.S. has tried to hinder China's technological progress, and they have stopped participating altogether in a prominent international supercomputing forum. From a report: The withdrawal marked the end of an era and created a divide that Western scientists say will slow the development of AI and other technologies as countries pursue separate projects. The new secrecy also makes it harder for the U.S. government to answer a question it deems essential to national security: Does the U.S. or China have faster supercomputers? Some academics have taken it upon themselves to hunt for clues about China's supercomputing progress, scrutinizing research papers and cornering Chinese peers at conferences.

Supercomputers have become central to the U.S.-China technological Cold War because the country with the faster supercomputers can also hold an advantage in developing nuclear weapons and other military technology. "If the other guy can use a supercomputer to simulate and develop a fighter jet or weapon 20% or even 1% better than yours in terms of range, speed and accuracy, it's going to target you first, and then it's checkmate," said Jimmy Goodrich, a senior adviser for technology analysis at Rand, a think tank. The forum that China recently stopped participating in is called the Top500, which ranks the world's 500 fastest supercomputers. While the latest ranking, released in June, says the world's three fastest computers are in the U.S., the reality is probably different.
Security

Hackers Shut Down Heating in Ukrainian City With Malware, Researchers Say (techcrunch.com) 14

An anonymous reader shares a report: For two days in mid-January, some Ukrainians in the city of Lviv had to live without central heating and suffer freezing temperatures because of a cyberattack against a municipal energy company, security researchers and Ukrainian authorities have since concluded. On Tuesday, the cybersecurity company Dragos published a report with details about a new malware dubbed FrostyGoop, which the company says is designed to target industrial control systems -- in this particular case, specifically against a type of heating system controller. Dragos researchers wrote in their report that they first detected the malware in April. At that point, Dragos did not have more information on FrostyGoop apart from the malware sample, and believed it was only used for testing.

Later on, however, Ukrainian authorities warned Dragos that they had found evidence that the malware was actively used in a cyberattack in Lviv during the late evening of January 22 through January 23. "And that resulted in the loss of heating to over 600 apartment buildings for almost 48 hours," said Mark "Magpie" Graham, a researcher at Dragos, during a call with reporters briefed on the report prior to its release. Dragos researchers Graham, Kyle O'Meara, and Carolyn Ahlers wrote in the report that "remediation of the incident took almost two days, during which time the civilian population had to endure sub-zero temperatures." This is the third known outage linked to cyberattacks to hit Ukrainians in recent years.

United States

In Shock Move, California Forever Pulls Measure To Build Bay Area City (sfgate.com) 51

An anonymous reader quotes a report from SFGate: A group of tech billionaires and millionaires has pulled its ballot measure that aimed to build a utopian city in Solano County. Instead, the group will go back to the drawing board the old-fashioned way by submitting an application to the county. The surprise announcement was made Monday by California Forever, a group of investors planning a city of 400,000 people in an agricultural part of the Bay Area near Rio Vista. It recently received the requisite number of signatures to put its East Solano Plan on the November ballot; that measure, if passed, would have removed some zoning restrictions that prevent this type of development in the area.

California Forever will instead "submit an application for a General Plan & Zoning Amendment and proceed with the normal County process which includes preparation of a full Environmental Impact Report and the negotiation and execution of Development Agreement," Solano County Board of Supervisors Chair Mitch Mashburn said in a statement Monday. The news was celebrated by many in Solano County, where skepticism about the project ran deep. The group's secretive purchases of huge tracts of land first brought about national security fears, even from local politicians, who had no idea who was behind the project. When the plan to build a futuristic city was announced, California Forever faced widespread pushback, ranging from concerns about billionaire backers like Reid Hoffman and Laurene Powell Jobs to questions about the impacts on traffic, water usage and proximity to Travis Air Force Base.
California Forever CEO Jan Sramek said in a statement: "We believe that with this process, we can build a shared vision that passes with a decisive majority and creates broad consensus for the future. We're excited about working with the Board of Supervisors, its land use subcommittee, and county staff to make this happen."
Businesses

Wiz Turns Down $23 Billion Google Deal (fortune.com) 25

Wiz, the cloud security startup that was in acquisition talks with Google, has decided not to forward with the deal and to remain an independent company, according to an internal note sent to company employees on Monday. Fortune: "While we are flattered by offers we have received, we have chosen to continue on our path to building Wiz," CEO Assaf Rappaport wrote in the note. Rappaport said in the email that the company's next target is to reach $1 billion in annual recurring revenue and to take the company public.
Privacy

Telegram Zero-Day for Android Allowed Malicious Files To Masquerade as Videos (therecord.media) 7

Researchers have identified a zero-day exploit for the Telegram messaging app on Android devices that could have allowed attackers to send malicious payloads disguised as legitimate files. From a report: The exploit was built to abuse a vulnerability that Slovakia-based firm ESET dubbed EvilVideo. Telegram fixed the bug earlier this month in versions 10.14.5 and above after researchers reported it. Threat actors had about five weeks to exploit the zero-day before it was patched, but it's not clear if it was used in the wild, ESET said. ESET discovered the exploit on an underground forum in early June. It was sold for an unspecified price by a user with the username "Ancryno." In its post, the seller showed screenshots and a video of testing the exploit in a public Telegram channel.

In unpatched versions of Telegram for Android, attackers could use the exploit to send malicious payloads via Telegram channels, groups and chats, making them appear as multimedia files. The exploit takes advantage of Telegram's default setting to automatically download media files. The option can be disabled manually, but in that case, the payload could still be installed on the device if a user tapped the download button in the top left corner of the shared file. If the user tried to play the "video," Telegram displayed a message that it was unable to play it and suggested using an external player. The hackers disguised a malicious app as this external player.

Windows

Microsoft Reveals EU Deal Behind Windows Access After Global Outage (wsj.com) 112

A Microsoft spokesman says that a 2009 European Commission agreement prevents the company from restricting third-party access to Windows' core functions, shedding light on factors contributing to Friday's widespread outage that affected millions of computers globally. The disruption, which caused the infamous "blue screen of death" on Windows machines across various industries, originated from a faulty update by cybersecurity firm CrowdStrike. The incident highlighted the vulnerability of Microsoft's open ecosystem, mandated by the EU agreement, which requires the tech giant to provide external security software developers the same level of system access as its own products. This policy stands in stark contrast to more closed systems like Apple's.
Crime

Ransomware Attack Takes Down Computer System for America's Largest Trial Court (apnews.com) 33

A ransomware attack has taken down the computer system of America's largest trial court, reports the Associated Press: The cybersecurity attack began early Friday and is not believed to be related to the faulty CrowdStrike software update that has disrupted airlines, hospitals and governments around the world, officials said in a statement Friday. The court disabled its computer network systems upon discovery of the attack, and it will remain down through at least the weekend.
Friday's statement called it "a serious security event," adding that the court is receiving help from local, state, and federal law enforcement agencies. "At this time, the preliminary investigation shows no evidence of court users' data being compromised." Over the past few years, the Court has invested heavily in its cybersecurity operations, modernizing its cybersecurity infrastructure and making strategic staff investments in the Cybersecurity Division within Court Technology Services. As a result of this investment, the Court was able to quickly detect an intrusion and address it immediately.

Due to the ongoing nature of the investigation, remediation, and recovery, the Court will not comment further until additional information is available for public release.

Sunday the Court posted on X.com that they're "working diligently to get the Court's network systems back up and running...

"When we have a better understanding of the extent to which the Court will be operational tomorrow, July 22, we will provide information and direction to court users and jurors, likely later this evening."
China

One Nation Mostly Unaffected by the Crowdstrike Outage: China (bbc.com) 49

The BBC reports that "while most of the world was grappling with the blue screen of death on Friday," there was one country that managed to escape largely unscathed: China. The reason is actually quite simple: CrowdStrike is hardly used there. Very few organisations will buy software from an American firm that, in the past, has been vocal about the cyber-security threat posed by Beijing. Additionally, China is not as reliant on Microsoft as the rest of the world. Domestic companies such as Alibaba, Tencent and Huawei are the dominant cloud providers.

So reports of outages in China, when they did come, were mainly at foreign firms or organisations. On Chinese social media sites, for example, some users complained they were not able to check into international chain hotels such as Sheraton, Marriott and Hyatt in Chinese cities. Over recent years, government organisations, businesses and infrastructure operators have increasingly been replacing foreign IT systems with domestic ones. Some analysts like to call this parallel network the "splinternet".

"It's a testament to China's strategic handling of foreign tech operations," says Josh Kennedy White, a cybersecurity expert based in Singapore. "Microsoft operates in China through a local partner, 21Vianet, which manages its services independently of its global infrastructure. This setup insulates China's essential services — like banking and aviation — from global disruptions."

"Beijing sees avoiding reliance on foreign systems as a way of shoring up national security."

Thanks to long-time Slashdot reader hackingbear for sharing the article.
The Military

US Prepares Jamming Devices Targeting Russia, China Satellites (msn.com) 45

In April the U.S. Space Force began testing "a new ground-based satellite jamming weapon to help keep U.S. military personnel safe from potential 'space-enabled' attacks" (according to a report from Space.com). The weapon was "designed to deny, degrade, or disrupt communications with satellites overhead, typically through overloading specific portions of the electromagnetic spectrum with interference," according to the article, with the miitary describing it as a small form-factor system "designed to be fielded in large numbers at low-cost and operated remotely" and "provide counterspace electronic warfare capability to all of the new Space Force components globally."

And now, Bloomberg reports that the U.S. is about to deploy them: The devices aren't meant to protect U.S. satellites from Chinese or Russian jamming but "to responsibly counter adversary satellite communications capabilities that enable attacks," the Space Force said in a statement to Bloomberg News. The Pentagon strives — on the rare occasions when it discusses such space capabilities — to distinguish its emerging satellite-jamming technology as purely defensive and narrowly focused. That's as opposed to a nuclear weapon the U.S. says Russia is developing that could create high-altitude electromagnetic pulses that would take out satellites and disrupt entire communications networks.

The first 11 of 24 Remote Modular Terminal jammers will be deployed in several months, and all of them could be in place by Dec. 31 at undisclosed locations, according to the Space Force statement... The new terminals augment a much larger jamming weapon called the Counter Communications System that's already deployed and a mid-sized one called Meadowlands "by providing the ability to have a proliferated, remotely controlled and relatively relocatable capability," the Space Force said. The Meadowlands system has encountered technical challenges that have delayed its delivery until at least October, about two years later than planned.

China has "hundreds and hundreds of satellites on orbit designed to find, fix, track, target and yes, potentially engage, US and allied forces across the Indo-Pacific," General Stephen Whiting, head of US Space Command, said Wednesday at the annual Aspen Security Forum. "So we've got to understand that and know what it means for our forces."

Bloomberg also got this comment from the chief director of space security and stability at the Secure World Foundation (which produces reports on counterspace weapons). The new U.S. Space Force jamming weapons are "reversible, temporary, non-escalatory and allow for plausible deniability in terms of who the instigator is."
Crime

Former Anonymous Spokesperson's Memoir Called 'Deranged, Hyperbolic, and True' (nytimes.com) 33

Slashdot covered Barrett Brown back in 2011 and 2012. The New York Times calls him "an activist associated with the hacker group Anonymous, and a political prisoner recently denied asylum in Britain, all of which sounds a bit dreary until we hear tell of it through Brown's unhinged self-regard."

They're reviewing Brown's "extraordinary" new memoir, My Glorious Defeats: Hacktivist, Narcissist, Anonymous," a book they call "deranged, hyperbolic, and true." A "machine" that focuses attention on little-known social issues, Anonymous has gone after the Church of Scientology, Koch Industries, websites hosting child pornography and the Westboro Baptist Church. The public tends to be confused by nebulous digital activities, so it was, in the collective's heyday, helpful to have Brown act as a translator between the hackers and mainstream journalists. "The year 2011 ended as it began," he writes, "with a sophisticated hack on a state-affiliated corporation that ostensibly dealt in straightforward security and analysis while secretly engaging in black ops campaigns against activists who'd proven troublesome to powerful clients."

This particular corporation was Stratfor, a company that spied on activists for the government... Brown waited for the feds to come back and drag him to jail. He also says he tried to get off suboxone in order to avoid the painful possibility of prison withdrawal, and stopped taking Paxil, inducing a manic state, all of which is given as explanation for his regrettable next move, which was to set up a camera and start talking. The feds had threatened his mother, he told the internet, and in response he was threatening Robert Smith, the lead agent on his case. He found himself in custody the same night.

Brown was then subjected to the kind of nonsense the Department of Justice is prone to inflicting on those involved in shadowy internet activities that, in fact, almost no one in the legal process understands. He was charged with participating in the hack of Stratfor, though he was not really involved and cannot code, and although the whole thing was organized by an F.B.I. informant. Brown had also retweeted a Fox News host's call to murder Julian Assange; the prosecution presented this as if he were himself calling for the murder of Assange. But generally, Brown's primary victim is himself. "My thirst for glory and hatred for the state," he writes, "were incompatible with an orthodox criminal defense, in which the limiting of one's sentence is the sole objective."

In his cell, with an eraser-less pencil he needs a compliant guard to repeatedly sharpen, he writes "The Barrett Brown Review of Arts and Letters and Jail." His mother types it up; The Intercept publishes. He develops the character he will play in his memoir: a self-aware narcissist and addict. He wins a National Magazine Award, and is especially pleased that his column "Please Stop Sending Me Jonathan Franzen Novels," wins while Franzen is in attendance.

"The state is an afterthought here — a litany of absurdist horrors too stupid to appall..." the review concludes.

"We're left with a man who refuses to look away from the deep structure of the world, an unstable position from which there is no sanctuary. My Glorious Defeats is deranged, hyperbolic and as true a work as I have read in a very long time."
Privacy

CNN Investigates 'Airbnb's Hidden Camera Problem' (cnn.com) 76

2017 Slashdot headline: "People Keep Finding Hidden Cameras in Their Airbnbs."

Nearly seven years later, CNN launched their own investigation of "Airbnb's hidden camera problem". CNN: "Across North America, police have seized thousands of images from hidden cameras at Airbnb rentals, including people's most intimate moments... It's more than just a few reported cases. And Airbnb knows it's a problem. In this deposition reviewed by CNN, an Airbnb rep said 35,000 customer support tickets about security cameras or recording devices had been documented over a decade. [The deposition estimates "about" 35,000 tickets "within the scope of the security camera and recording devices policy."]

Airbnb told CNN a single complaint can involve multiple tickets.

CNN actually obtained the audio recording of an Airbnb host in Maine admitting to police that he'd photographed a couple having sex using a camera hidden in a clock — and also photographed other couples. And one Airbnb guest told CNN he'd only learned he'd been recorded "because police called him, months later, after another guest found the camera" — with police discovering cameras in every single room in the house, concealed inside smoke detectors. "Part of the challenge is that the technology has gotten so advanced, with these cameras so small that you can't even see them," CNN says.

But even though recording someone without consent is illegal in every state, CNN also found that in this case and others, Airbnb "does not contact law enforcement once hidden cameras are discovered — even if children are involved." Their reporter argues that Airbnb "not only fails to protect its guests — it works to keep complaints out of the courts and away from the public."

They spoke to two Florida attorneys who said trying to sue Airbnb if something goes wrong is extremely difficult — since its Terms of Service require users to assume every risk themselves. "The person going to rent the property agrees that if something happens while they're staying at this accommodation, they're actually prohibited from suing Airbnb," says one of the attorneys. "They must go a different route, which is a binding arbitration." (When CNN asked if this was about controlling publicity, the two lawyers answered "absolutely" and "100%".) And when claims are settled, CNN adds, "Airbnb has required guests to sign confidentiality agreements — which CNN obtained — that keep some details of legal cases private."

Responding to the story, Airbnb seemed to acknowledge guests have been secretly recorded by hosts, by calling such occurrences "exceptionally rare... When we do receive an allegation, we take appropriate, swift action, which can include removing hosts and listings that violate the policy.

"Airbnb's trust and safety policies lead the vacation rental industry..."
The Courts

In SolarWinds Case, US Judge Rejects SEC Oversight of Cybersecurity Controls (msn.com) 18

SolarWinds still faces some legal action over its infamous 2020 breach, reports NextGov.com. But a U.S. federal judge has dismissed most of the claims from America's Securities and Exchange Commission, which "alleged the company defrauded investors because it deliberately hid knowledge of cyber vulnerabilities in its systems ahead of a major security breach discovered in 2020."

Slashdot reader krakman shares this report from the Washington Post: "The SEC's rationale, under which the statute must be construed to broadly cover all systems public companies use to safeguard their valuable assets, would have sweeping ramifications," [judge] Engelmayer wrote in a 107-page decision. "It could empower the agency to regulate background checks used in hiring nighttime security guards, the selection of padlocks for storage sheds, safety measures at water parks on whose reliability the asset of customer goodwill depended, and the lengths and configurations of passwords required to access company computers," he wrote. The federal judge also dismissed SEC claims that SolarWinds' disclosures after it learned its customers had been affected improperly covered up the gravity of the breach...

In an era when deeply damaging hacking campaigns have become commonplace, the suit alarmed business leaders, some security executives and even former government officials, as expressed in friend-of-the-court briefs asking that it be thrown out. They argued that adding liability for misstatements would discourage hacking victims from sharing what they know with customers, investors and safety authorities. Austin-based SolarWinds said it was pleased that the judge "largely granted our motion to dismiss the SEC's claims," adding in a statement that it was "grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns."

The article notes that as far back as 2018, "an engineer warned in an internal presentation that a hacker could use the company's virtual private network from an unauthorized device and upload malicious code. Brown did not pass that information along to top executives, the judge wrote, and hackers later used that exact technique." Engelmayer did not dismiss the case entirely, allowing the SEC to try to show that SolarWinds and top security executive Timothy Brown committed securities fraud by not warning in a public "security statement" before the hack that it knew it was highly vulnerable to attacks.

The SEC "plausibly alleges that SolarWinds and Brown made sustained public misrepresentations, indeed many amounting to flat falsehoods, in the Security Statement about the adequacy of its access controls," Engelmayer wrote. "Given the centrality of cybersecurity to SolarWinds' business model as a company pitching sophisticated software products to customers for whom computer security was paramount, these misrepresentations were undeniably material."

Open Source

Are There Gaps in Training for Secure Software Development? (linuxfoundation.org) 45

A new report "explores the current state of secure software development," according to an announcement from the Linux Foundation, "and underscores the urgent need for formalized industry education and training programs," noting that many developers "lack the essential knowledge and skills to effectively implement secure software development."

The report analyzes a survey of nearly 400 software development professionals performed by and the Open Source Security Foundation (OpenSSF) and Linux Foundation Research: Survey findings outlined in the report show nearly one-third of all professionals directly involved in development and deployment — system operations, software developers, committers, and maintainers — self-report feeling unfamiliar with secure software development practices. This is of particular concern as they are the ones at the forefront of creating and maintaining the code that runs a company's applications and systems.

"Time and again we've seen the exploitation of software vulnerabilities lead to catastrophic consequences, highlighting the critical need for developers at all levels to be armed with adequate knowledge and skills to write secure code," said David A. Wheeler, director of open source supply chain security for the Linux Foundation. "Our research found that a key challenge is the lack of education in secure software development. Practitioners are unsure where to start and instead are learning as they go. It is clear that an industry-wide effort to bring secure development education to the forefront must be a priority." OpenSSF offers a free course on developing secure software (LFD121) and encourages developers to start with this course.

Survey results indicate that the lack of security awareness is likely due to most current educational programs prioritizing functionality and efficiency while often neglecting essential security training. Additionally, most professionals (69%) rely on on-the-job experience as a main learning resource, yet it takes at least five years of such experience to achieve a minimum level of security familiarity.

"The top reason (44%) for not taking a course on secure software development is lack of knowledge about a good course on the topic," according to the announcement — which includes this follow-up quote from Intel's Christopher Robinson (co-chair of the OpenSSF Education SIG).

"Based on these findings, OpenSSF will create a new course on security architecture which will be available later this year which will help promote a 'security by design' approach to software developer education."
Firefox

Firefox 128 Criticized for Including Small Test of 'Privacy-Preserving' Ad Tech by Default (itsfoss.com) 57

"Many people over the past few days have been lashing out at Mozilla," writes the blog Its FOSS, "for enabling Privacy-Preserving Attribution by default on Firefox 128, and the lack of publicity surrounding its introduction."

Mozilla responded that the feature will only run "on a few sites in the U.S. under strict supervision" — adding that users can disable it at any time ("because this is a test"), and that it's only even enabled if telemetry is also enabled.

And they also emphasize that it's "not tracking." The way it works is there's an "aggregation service" that can periodically send advertisers a summary of ad-related actions — again, aggregated data, from a mass of many other users. (And Mozilla says that aggregated summary even includes "noise that provides differential privacy.") This Privacy-Preserving Attribution concept "does not involve sending information about your browsing activities to anyone... Advertisers only receive aggregate information that answers basic questions about the effectiveness of their advertising."

More from It's FOSS: Even though Mozilla mentioned that PPA would be enabled by default on Firefox 128 in a few of its past blog posts, they failed to communicate this decision clearly, to a wider audience... In response to the public outcry, Firefox CTO, Bobby Holley, had to step in to clarify what was going on.

He started with how the internet has become a massive cesspool of surveillance, and doing something about it was the primary reason many people are part of Mozilla. He then expanded on their approach with Firefox, which, historically speaking, has been to ship a browser with anti-tracking features baked in to tackle the most common surveillance techniques. But, there were two limitations with this approach. One was that advertisers would try to bypass these countermeasures. The second, most users just accept the default options that they are shown...

Bas Schouten, Principal Software Engineer at Mozilla, made it clear at the end of a heated Mastodon thread that "[opt-in features are] making privacy a privilege for the people that work to inform and educate themselves on the topic. People shouldn't need to do that, everyone deserves a more private browser. Privacy features, in Firefox, are not meant to be opt-in. They need to be the default.

"If you are 'completely anti-ads' (i.e. even if their implementation is private), you probably use an ad blocker. So are unaffected by this."

This has already provoked a discussion among Slashdot readers. "It doesn't seem that evil to me," argues Slashdot reader geekprime. "Seems like the elimination of cross site cookies is a privacy enhancing idea." (They cite Mozilla's statement that their goal is "to inform an emerging Web standard designed to help sites understand how their ads perform without collecting data about individual people. By offering sites a non-invasive alternative to cross-site tracking, we hope to achieve a significant reduction in this harmful practice across the web.")

But Slashdot reader TheNameOfNick disagrees. "How realistic is the part where advertisers stop tracking you because they get less information from the browser maker...?"

Mozilla has provided simple instructions for disabling the feature:
  • Click the menu button and select Settings.
  • In the Privacy & Security panel, find the Website Advertising Preferences section.
  • Uncheck the box labeled Allow websites to perform privacy-preserving ad measurement.

Power

US Will Fall Behind In the AI Race Without Natural Gas, Says Williams Companies CEO 212

An anonymous reader quotes a report from CNBC: The U.S. will fall behind in the artificial intelligence race if it does not embrace natural gas to help meet surging electricity demand from data centers, the CEO of one of the nation's largest pipeline operators told CNBC. "The only way we're going to be able to keep up with the kind of power demand and the electrification that's already afoot is natural gas," Williams Companies CEO Alan Armstrong said in an interview Thursday. "If we deny ourselves that we're going to fall behind in the AI race." Williams Companies handles about one-third of the natural gas in the U.S. through a pipeline network that spans more than 30,000 miles. Williams' network includes the 10,000 mile Transcontinental Pipeline, or Transco, a crucial artery that serves virtually the entire eastern seaboard including Virginia, the world's largest data center hub, and fast growing Southeast markets such as Georgia.

The tech sector's expansion of data centers to support AI and the adoption of electric vehicles is projected to add 290 terawatt hours of electricity demand by the end of the decade in the U.S., according to a recent report by the energy consulting firm Rystad. This load growth is equivalent to the entire electricity demand of Turkey, the world's 18th largest economy. Executives at some the nation's largest utilities have warned that failure to meet this surging electricity demand will jeopardize not just the artificial intelligence revolution, but economic growth across the board in the U.S. The role natural gas in helping to meet that demand is controversial as the country is simultaneously trying to transition to a clean energy economy through the rapid expansion of renewables.
"We are going to run right up against a brick wall here and pretty quickly in terms of not having enough power available to do what we want to do on the AI side," Armstrong said. "I actually see this as a huge national security issue," the CEO said. "We're going to have to get out of our own way or we're going to accidentally keep ourselves from being the power we can be in the AI space."

"Those groups that have very much had their brand be all green have come to us and said, 'We got to work with you guys. We've run out of alternatives -- we can't meet the needs of our customers without using natural gas,'" Armstrong said. "We're completely out of capacity ourselves," Armstrong added. "So we just have to kind of beg, borrow and steal from other people's capacity to do our best to make gas available."
IT

It's Not Just CrowdStrike - the Cyber Sector is Vulnerable (ft.com) 90

An anonymous reader shares a report, which expands on the ongoing global outage: The incident will exacerbate concerns about concentration risk in the cyber security industry. Just 15 companies worldwide account for 62 per cent of the market in cyber security products and services, according to SecurityScorecard. In modern endpoint security, the business of securing PCs, laptops and other devices, the problem is worse: three companies, with Microsoft and CrowdStrike by far the largest, controlled half the market last year, according to IDC.

While the US Cyber Safety Review Board dissects large cyber attacks for lessons learned, there is no obvious body charged with analysing these technical failures to improve the resilience of global tech infrastructure, said Ciaran Martin, former head of the UK's National Cyber Security Centre. The current global outage should spur clients -- and perhaps even governments and regulators -- to think more about how to build diversification and redundancy into their systems.
Further reading: Without Backup Plans, Global IT Outages Will Happen Again.
Android

Google Cracks Down on Low-Quality Android Apps (androidauthority.com) 15

Google has revised its Play Store policies, aiming to eliminate subpar and potentially harmful Android apps. The updated Spam and Minimum Functionality policy, set to take effect on August 31, 2024, targets apps that crash frequently, lack substantial content, or provide minimal utility to users, the company said.

This policy shift follows Google's ongoing efforts to enhance Play Store security, with the company having blocked over 2 million policy-violating apps and rejected around 200,000 submissions in 2023 alone.

Slashdot Top Deals