The Federal Bureau of Investigation will notify state officials when local election systems are believed to have been breached by hackers [the link may be paywalled], a pivot in policy that comes after criticism that the FBI wasn't doing enough to inform states of election threats, WSJ reported Thursday, citing people familiar with the matter. From a report: The FBI's previous policy stated that it notified the direct victims of cyberattacks, such as the counties that own and operate election equipment, but wouldn't necessarily share that information with states. Several states and members of Congress in both parties had criticized that policy as inadequate and one that stifled state-local partnerships on improving election security. Further reading: Despite Election Security Fears, Iowa Caucuses Will Use New Smartphone App.

Google said this week that it will begin to phase out traditional Chrome apps starting in June, and winding down slowly over two years' time. Chrome extensions, though, will live on. From a report: Google said Tuesday in a blog post that it would stop accepting new Chrome apps in March. Existing apps could continue to be developed through June, 2022. The important dates start in June of this year, when Google will end support for Chrome Apps on the Windows, Mac, and Linux platforms. Education and Enterprise customers on these platforms will get a little more time to get their affairs in order, until December, 2020. Google had actually said four years ago that it would phase out Chrome apps on Windows, Mac, and Linux in 2018. The company appears to have waited longer than announced before beginning this process. The other platform that's affected by this, of course, is Google's own Chrome OS and Chromebooks, for which the apps were originally developed.

Bruce Schneier comments on the issues surrounding 5G security: [...] Keeping untrusted companies like Huawei out of Western infrastructure isn't enough to secure 5G. Neither is banning Chinese microchips, software, or programmers. Security vulnerabilities in the standards, the protocols and software for 5G, ensure that vulnerabilities will remain, regardless of who provides the hardware and software. These insecurities are a result of market forces that prioritize costs over security and of governments, including the United States, that want to preserve the option of surveillance in 5G networks. If the United States is serious about tackling the national security threats related to an insecure 5G network, it needs to rethink the extent to which it values corporate profits and government espionage over security. To be sure, there are significant security improvements in 5G over 4G in encryption, authentication, integrity protection, privacy, and network availability. But the enhancements aren't enough. The 5G security problems are threefold.

First, the standards are simply too complex to implement securely. This is true for all software, but the 5G protocols offer particular difficulties. Because of how it is designed, the system blurs the wireless portion of the network connecting phones with base stations and the core portion that routes data around the world. Additionally, much of the network is virtualized, meaning that it will rely on software running on dynamically configurable hardware. This design dramatically increases the points vulnerable to attack, as does the expected massive increase in both things connected to the network and the data flying about it. Second, there's so much backward compatibility built into the 5G network that older vulnerabilities remain. 5G is an evolution of the decade-old 4G network, and most networks will mix generations. Without the ability to do a clean break from 4G to 5G, it will simply be impossible to improve security in some areas. Attackers may be able to force 5G systems to use more vulnerable 4G protocols, for example, and 5G networks will inherit many existing problems. Third, the 5G standards committees missed many opportunities to improve security. Many of the new security features in 5G are optional, and network operators can choose not to implement them. The same happened with 4G; operators even ignored security features defined as mandatory in the standard because implementing them was expensive. But even worse, for 5G, development, performance, cost, and time to market were all prioritized over security, which was treated as an afterthought.

Security researchers have published proof-of-concept (PoC) code for exploiting a recently-patched vulnerability in the Windows operating system, a vulnerability that has been reported to Microsoft by the US National Security Agency (NSA). From a report: The bug, which some have started calling CurveBall, impacts CryptoAPI (Crypt32.dll), the component that handles cryptographic operations in the Windows OS. According to a high-level technical analysis of the bug from cyber-security researcher Tal Be'ery, "the root cause of this vulnerability is a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft's code." According to both the NSA, the DHS, and Microsoft, when exploited, this bug (tracked as CVE-2020-0601) can allow an attacker to: 1. Launch MitM (man-in-the-middle) attacks and intercept and fake HTTPS connections. 2. Fake signatures for files and emails. 3. Fake signed-executable code launched inside Windows.

The FBI is pressing Apple to help it break into a terrorist's iPhones, but the government can hack into the devices without the technology giant, according to experts in cybersecurity and digital forensics. From a report: Investigators can exploit a range of security vulnerabilities -- available directly or through providers such as Cellebrite and Grayshift -- to break into the phones, the security experts said. Mohammed Saeed Alshamrani, the perpetrator of a Dec. 6 terrorist attack at a Navy base in Florida, had an iPhone 5 and iPhone 7, models that were first released in 2012 and 2016, respectively. Alshamrani died and the handsets were locked, leaving the FBI looking for ways to hack into the devices. "A 5 and a 7? You can absolutely get into that," said Will Strafach, a well-known iPhone hacker who now runs the security company Guardian Firewall. "I wouldn't call it child's play, but it's not super difficult." That counters the U.S. government's stance. Attorney General William Barr slammed Apple on Monday, saying the company hasn't done enough to help the FBI break into the iPhones.

"We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements," President Donald Trump wrote on Twitter Tuesday. The comments add to pressure on Apple to create special ways for the authorities to access iPhones. Apple has refused to build such backdoors, saying they would be used by bad actors, too. Indeed, Strafach and other security experts said Apple wouldn't need to create a backdoor for the FBI to access the iPhones that belonged to Alshamrani. Further reading: The FBI Got Data From A Locked iPhone 11 Pro Max -- So Why Is It Demanding Apple Unlock Older Phones?

Most modern iPhones running iOS 13 can now be used as a built-in phone security key for Google apps. 9to5Google reports: A built-in phone security key differs from the Google Prompt, though both essentially share the same UI. The latter push-based approach is found in the Google Search app and Gmail, while today's announcement is more akin to a physical USB-C/Lightning key in terms of being resistant to phishing attempts and verifying who you are. Your phone security key needs to be physically near (within Bluetooth range) the device that wants to log-in. The login prompt is not just being sent over an internet connection.

With an update to the Google Smart Lock app on iOS this week, "you can now set up your phone's built-in security key." According to one Googler today, the company is leveraging the Secure Enclave found on Apple's A-Series chips. Storing Touch ID, Face ID, and other cryptographic data, it was first introduced on the iPhone 5s, though that particular device no longer supports iOS 13. Anytime users enter a Google Account username and password, they'll be prompted to open Smart Lock on their nearby iPhone to confirm a sign-in. There's also the option to cancel with "No, it's not me." This only works when signing-in to Google with Chrome, while Bluetooth on both the desktop computer and phone needs to be enabled as the devices are locally communicating the confirmation request and verification.

Microsoft today launched its new Edge browser based on Google's Chromium open source project. You can download Chromium Edge now for Windows 7, Windows 8, Windows 10, and macOS directly from microsoft.com/edge in more than 90 languages. From a report: Business features aside, there's also support for Chrome-based extensions, 4K streaming, Dolby audio, inking in PDF, and privacy tools. For the last one, it's worth noting that tracking prevention is on by default and offers three levels of control, like Firefox's tracking protection. Chrome extension support is probably the most important feature for most users. By default, extensions that have been ported over to Edge can be downloaded from the Microsoft Store. Chromium Edge also has an option to "Allow extensions from other stores" to get Chrome extensions from the Chrome Web Store. There are still a few features missing from Chromium Edge, most notably history sync and extension sync. Microsoft is working on these and some other inking functionality that it still wants to port from legacy Edge, as Microsoft is calling it. Microsoft also claims that Chromium Edge is "twice as fast as legacy Edge." Curiously, the team isn't making any claims against other browsers -- at least not yet.

An anonymous reader quotes a report from VentureBeat: The Cloud Native Computing Foundation (CNCF) today announced it is funding a bug bounty program for Kubernetes. Security researchers who find security vulnerabilities in Kubernetes' codebase, as well as the build and release processes, will be rewarded with bounties ranging from $100 to $10,000. Bug bounty programs motivate individuals and hacker groups to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Originally designed by Google and now run by the CNCF, Kubernetes is an open source container orchestration system for automating application deployment, scaling, and management. Given the hundreds of startups and enterprises that use Kubernetes in their tech stacks, it's significantly cheaper to proactively plug security holes than to deal with the aftermath of breaches.

Microsoft on Tuesday patched an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. The vulnerability was spotted and reported by the NSA. CNBC reports: The flaw affected encryption of digital signatures used to authenticate content, including software or files. If exploited, the flaw could allow criminals to send malicious content with fake signatures that make it appear safe. The finding was reported earlier by The Washington Post. It is unclear how long the NSA knew about the flaw before reporting it to Microsoft. The cooperation, however, is a departure from past interactions between the NSA and major software developers such as Microsoft. In the past, the top security agency has kept some major vulnerabilities secret in order to use them as part of the U.S. tech arsenal.

In a statement, Microsoft declined to confirm or offer further details. "We follow the principles of coordinated vulnerability disclosure as the industry best practice to protect our customers from reported security vulnerabilities. To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available." Jeff Jones, a senior director at Microsoft said in a statement Tuesday: "Customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible." Microsoft told CNBC that it had not seen any exploitation of the flaw "in the wild," which means outside a lab testing environment.

Open-source intelligence proved vital in the investigation into Ukraine Airlines flight PS752. Then Iranian officials had to admit the truth. From a report: [...] In the days after the Ukraine Airlines plane crashed into the ground outside Tehran, Bellingcat and The New York Times have blown a hole in the supposition that the downing of the aircraft was an engine failure. The pressure -- and the weight of public evidence -- compelled Iranian officials to admit overnight on January 10 that the country had shot down the plane "in error." So how do they do it? "You can think of OSINT as a puzzle. To get the complete picture, you need to find the missing pieces and put everything together," says Lorand Bodo, an OSINT analyst at Tech versus Terrorism, a campaign group. The team at Bellingcat and other open-source investigators pore over publicly available material. Thanks to our propensity to reach for our cameraphones at the sight of any newsworthy incident, video and photos are often available, posted to social media in the immediate aftermath of events. "Open source investigations essentially involve the collection, preservation, verification, and analysis of evidence that is available in the public domain to build a picture of what happened," says Yvonne McDermott Rees, a lecturer at Swansea University.

Some of the clips in this incident surfaced on Telegram, the encrypted messaging app popular in the Middle East, while others were sent directly to Bellingcat. "Because Bellingcat is known for our open source work on MH17, people immediately thought of us. People started sending us links they'd found," says Eliot Higgins of Bellingcat. "It was involuntary crowdsourcing." OSINT investigators then utilise metadata, including EXIF data -- which is automatically inserted into videos and photos, showing everything from the type of camera used to take the images to the precise latitude and longitude of where the taker was standing -- to validify that the footage is legitimate. They'll also try and identify who took the footage, and whether it's practical for them to have been where they claim to have been at the time. However, for this instance, they couldn't use EXIF data. "People would share photos and videos on Telegram which strip the metadata, and then someone else would find that and share it on Twitter," says Higgins. "We were really getting a second-hand or third-hand version of these images. All we have to go on is what's visible in the photograph." So instead they moved onto the next step.

Google has announced plans to limit the ability of other companies to track people across the internet and collect information about them, a significant change that has widespread ramifications for online privacy as well as the digital economy. From a report: The company said Tuesday that it plans to phase out the use of digital tools known as tracking cookies, which other companies use to identify people online and learn more about them. The move is meant to offer users greater control over their digital footprints and enhance user privacy, according to Google. But the move could also provide Google with even greater control over the online advertising market, which the company already dominates. Google said the change will come to its Chrome web browser and be rolled out over two years. Google did not announce any changes to its own data collection methods.

Google also said that a previously announced change to make third-party cookies more secure and precise in their abilities will be rolled out in February. Justin Schuh, director of engineering for trust and safety for Google's Chrome, said the search giant needs time to enact changes because it is working with advertisers and publishers to address the need for cookies to remember sign-ins, embed third-party services such as weather widgets and deliver targeted advertising. But he did not downplay the significance of Google's announcement. "We want to change the way the web works," he said in an interview.

Google has announced plans today to phase out the usage of user-agent strings in its web browser Chrome. From a report: UA strings have been developed part of the Netscape browser in the 90s, and have been in use ever since. For decades, websites have used UA strings to fine-tune features based on a visitor's technical specifications. But now, Google says that this once-useful mechanism has become a constant source of problems, on different fronts. For starters, UA strings have been used by online advertisers as a way to track and fingerprint website visitors. "On top of those privacy issues, User-Agent sniffing is an abundant source of compatibility issues, in particular for minority browsers, resulting in browsers lying about themselves (generally or to specific sites) , and sites (including Google properties) being broken in some browsers for no good reason," said Yoav Weiss, a Google engineer working on the Chrome browser.

To address these issues, Google said it plans to phase out the importance of UA strings in Chrome by freezing the standard as a whole. Google's plan is to stop updating Chrome's UA component with new strings (the UA string text that Chrome shares with websites). The long-term plan is to unify all Chrome UA strings into generic values that don't reveal too much information about a user. This means that new Chrome browser releases on new platforms such as new smartphone models or new OS releases will use a generic UA string, rather than one that's customised for that specific platform.

On Monday, Attorney General William Barr called on Apple to unlock the alleged phone of the Pensacola shooter -- a man who murdered three people and injured eight others on a Naval base in Florida in December. Apple has responded by essentially saying: "no." From a report: "We reject the characterization that Apple has not provided substantive assistance in the Pensacola investigation," the company said. "It was not until January 8th that we received a subpoena for information related to the second iPhone, which we responded to within hours," Apple added, countering Barr's characterization of the company being slow in its approach to the FBI's needs. However, it ends the statement in no uncertain terms: "We have always maintained there is no such thing as a backdoor just for the good guys." Despite pressure from the government, Apple has long held that giving anyone the keys to users' data or a backdoor to their phones -- even in cases where terrorism or violence was involved -- would compromise every user. The company is clearly standing by those principles.

Brian Krebs: Sources tell KrebsOnSecurity that Microsoft is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020. According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles "certificate and cryptographic messaging functions in the CryptoAPI." The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates. NSA said on Tuesday that it spotted the vulnerability and reported it to Microsoft. NSA said Microsoft will report later today that it has seen no active exploitation of this vulnerability. NSA's Director of Cybersecurity, Anne Neuberger, says the critical cryptographic vulnerability resides in Windows 10 and Windows Server 2016, and that the concern about this particular flaw is that it "makes trust vulnerable."

An anonymous reader quotes a report from ZDNet: Officials from the city of Las Vegas said they narrowly avoided a major security incident that took place on Tuesday, January 7. According to a statement published by the city on Wednesday, the compromise took place on Tuesday, at 4:30 am, in the morning. The city said IT staff immediately detected the intrusion and took steps to protect impacted systems. The city responded by taking several services offline, including its public website, which is still down at the time of writing.

City officials have not disclosed any details about the nature of the incident, but local press reported that it might have involved an email delivery vector. In a subsequent statement published on Twitter on Wednesday, the city confirmed it "resumed full operations with all data systems functioning as normal." "Thanks to our software security systems and fast action by our IT staff, we were fortunate to avoid what had the potential to be a devastating situation," it said. "We do not believe any data was lost from our systems and no personal data was taken. We are unclear as to who was responsible for the compromise, but we will continue to look for potential indications," the city also added.

An anonymous reader quotes a report from Ars Technica: On December 16, 2019, Citrix revealed a vulnerability in the company's Application Delivery Controller and Gateway products -- commercial virtual-private-network gateways formerly marketed as NetScaler and used by tens of thousands of companies. The flaw, discovered by Mikhail Klyuchnikov of Positive Technologies, could give an attacker direct access to the local networks behind the gateways from the Internet without the need for an account or authentication using a crafted Web request. Citrix has published steps to reduce the risk of the exploit. But these steps, which simply configure a responder to handle requests using the text that targets the flaw, breaks under some circumstances and might interfere with access to the administration portal for the gateways by legitimate users. A permanent patch will not be released until January 20. And as of January 12, over 25,000 servers remain vulnerable, based on scans by Bad Packets.

This is not surprising, considering the number of Pulse Secure VPNs that have not yet been patched over six months after a fix was made available, despite Pulse Secure executives saying that they have "worked aggressively" to get customers to patch that vulnerability. And given that vulnerable Pulse Secure servers have been targeted now for ransomware attacks, the same will likely be true for unprotected Citrix VPN servers -- especially since last week, proof-of-concept exploits of the vulnerability began to appear, including at least two published on GitHub, as ZDNet's Catalin Cimpanu reported. "The vulnerability allows the remote execution of commands in just two HTTP requests, thanks to a directory traversal bug in the implementation of the gateway's Web interface," the report adds. "The attacks use a request for the directory '/vpn/../vpns/' to fool the Apache Web server on the gateway to point to the '/vpns/' directory without authentication. The attacks then inject a command based on the template returned from the first request."

You can check for the vulnerability here.

Google announced last week the alternative search engines it will show to new Android users in the EU, with DuckDuckGo the most frequently offered choice and Bing tied for last place. From a report: EU citizens setting up Android devices from March 1 will given a choice of four search engines to use as their default, including Google. Whichever provider they chose will become the default for searches made in Chrome and through Android's home screen search box. A dedicated app for that provider will also be installed on their device.

Adobe unveiled a cloud-based system to help clients build websites, bringing one of its last legacy products to the cloud almost a decade after shifting to internet-based software. From a report: The new content management system already is being used by some customers, the San Jose, California-based company said Monday in a statement. The software maker announced the service at the National Retail Federation conference in New York. Adobe is the largest vendor for enterprise customers in a $3.8 billion market for software that builds websites and manages digital assets, according to data from research firm IDC. The company said it's the first to provide a purely cloud-computing based solution to large business clients. The software maker currently manages 15 billion web page visits per day and more than 50 million digital assets, including images and videos, across its customer base. Wix.com and closely held Squarespace are among the competitors in the field.

Attorney General William P. Barr declared on Monday that a deadly shooting last month at a naval air station in Pensacola, Fla., was an act of terrorism, and he asked Apple in an unusually high-profile request to provide access to two phones used by the gunman. From a report: Mr. Barr's appeal was an escalation of an ongoing fight between the Justice Department and Apple pitting personal privacy against public safety. "This situation perfectly illustrates why it is critical that the public be able to get access to digital evidence," Mr. Barr said, calling on Apple and other technology companies to find a solution and complaining that Apple has provided no "substantive assistance."

Apple has given investigators materials from the iCloud account of the gunman, Second Lt. Mohammed Saeed Alshamrani, a member of the Saudi air force training with the American military, who killed three sailors and wounded eight others on Dec. 6. But the company has refused to help the F.B.I. open the phones themselves, which would undermine its claims that its phones are secure.

The UK's National Cyber Security Centre (NCSC) is warning people of using online banking or accessing sensitive accounts from devices running Windows 7 from Tuesday, 14 January, when Microsoft ends support for the operating system. From a report: The NCSC, the government body for cybersecurity, is encouraging people to upgrade from Windows 7 as soon as possible, due to Microsoft's 2019 decision to stop providing technical support for the software. "The NCSC would encourage people to upgrade devices currently running Windows 7, allowing them to continue receiving software updates which help protect their devices," the NCSC spokesperson said. "We would urge those using the software after the deadline to replace unsupported devices as soon as possible, to move sensitive data to a supported device and not to use them for tasks like accessing bank and other sensitive accounts. They should also consider accessing email from a different device."

A Princeton University academic study found that five major US prepaid wireless carriers are vulnerable to SIM swapping attacks. From a report: A SIM swap is when an attacker calls a mobile provider and tricks the telco's staff into changing a victim's phone number to an attacker-controlled SIM card. This allows the attacker to reset passwords and gain access to sensitive online accounts, like email inboxes, e-banking portals, or cryptocurrency trading systems. All last year, Princeton academics spent their time testing five major US telco providers to see if they could trick call center employees into changing a user's phone number to another SIM without providing proper credentials. According to the research team, AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless were found to be using vulnerable procedures with their customer support centers, procedures that attackers could use to conduct SIM swapping attacks. In addition, the research team also looked at 140 online services and websites and analyzed on which of these attackers could employ a SIM swap to hijack a user's account. According to the research team, 17 of the 140 websites were found to be vulnerable.

This week a former engineer for the Microsoft Windows Core OS Division shared an insightful (and very entertaining) list with "some changes I have noticed over the last 20 years" in the computer programming world. Some excerpts: - Some programming concepts that were mostly theoretical 20 years ago have since made it to mainstream including many functional programming paradigms like immutability, tail recursion, lazily evaluated collections, pattern matching, first class functions and looking down upon anyone who don't use them...

- 3 billion devices run Java. That number hasn't changed in the last 10 years though...

- A package management ecosystem is essential for programming languages now. People simply don't want to go through the hassle of finding, downloading and installing libraries anymore. 20 years ago we used to visit web sites, downloaded zip files, copied them to correct locations, added them to the paths in the build configuration and prayed that they worked.

- Being a software development team now involves all team members performing a mysterious ritual of standing up together for 15 minutes in the morning and drawing occult symbols with post-its....

- Since we have much faster CPUs now, numerical calculations are done in Python which is much slower than Fortran. So numerical calculations basically take the same amount of time as they did 20 years ago...

- Even programming languages took a side on the debate on Tabs vs Spaces....

- Code must run behind at least three levels of virtualization now. Code that runs on bare metal is unnecessarily performant....

- A tutorial isn't really helpful if it's not a video recording that takes orders of magnitude longer to understand than its text.

- There is StackOverflow which simply didn't exist back then. Asking a programming question involved talking to your colleagues.

- People develop software on Macs.
In our new world where internet connectivity is the norm and being offline the exception, "Security is something we have to think about now... Because of side-channel attacks we can't even trust the physical processor anymore."

And of course, "We don't use IRC for communication anymore. We prefer a bloated version called Slack because we just didn't want to type in a server address...."

Tech columnist Chris Matyszczyk summarizes the argument of four researchers who are warning about the perils of pure engineer thought: They write, politely: "Engineers enter the workforce with important analysis skills, but may struggle to 'think outside the box' when it comes to creative problem-solving." The academics blame the way engineers are educated.

They explain there are two sorts of thinking -- convergent and divergent. The former is the one with which engineers are most familiar. You make a list of steps to be taken to solve a problem and you take those steps. You expect a definite answer. Divergent thinking, however, requires many different ways of thinking about a problem and leads to many potential solutions. These academics declare emphatically: "Divergent thinking skills are largely ignored in engineering courses, which tend to focus on a linear progression of narrow, discipline-focused technical information."

Ah, that explains a lot, doesn't it? Indeed, these researchers insist that engineering students "become experts at working individually and applying a series of formulas and rules to structured problems with a 'right' answer."

Oddly, I know several people at Google just like that.
Fortunately, the researchers are also proposing this solution:

"While engineers need skills in analysis and judgment, they also need to cultivate an open, curious, and kind attitude, so they don't fixate on one particular approach and are able to consider new data."

Former Slashdot contributor Nick Kolakowski is now a senior editor at Dice Insights, where he's just published a list of the top programming skills employers were looking for during the last 30 days.
If you're a software developer on the hunt for a new gig (or you're merely curious about what programming skills employers are looking for these days), one thing is clear: employers really, really, really want technologists who know how to build, maintain, and scale everything database- (and data-) related.

We've come to that conclusion after analyzing data about programming skills from Burning Glass, which collects and organizes millions of job postings from across the country.
The biggest takeaway? "When it comes to programming skills, employers are hungriest for SQL." Here's their ranking of the top most in-demand skills:

1. SQL
2. Java
3. "Software development"
4. "Software engineering"
5. Python
6. JavaScript
7. Linux
8. Oracle
9. C#
10. Git

The list actually includes the top 18 programming skills, but besides languages like C++ and .NET, it also includes more generalized skills like "Agile development," "debugging," and "Unix."

But Nick concludes that "As a developer, if you've mastered database and data-analytics skills, that makes you insanely valuable to a whole range of companies out there."

Slashdot reader The8re still remembers the Y2K bug. Now he shares a New Scientist article explaining how it led directly to this year's Y2020 bug -- which affected more than just parking meters: WWE 2K20, a professional wrestling video game, also stopped working at midnight on 1 January 2020. Within 24 hours, the game's developers, 2K, issued a downloadable fix. Another piece of software, Splunk, which ironically looks for errors in computer systems, was found to be vulnerable to the Y2020 bug in November. The company rolled out a fix to users the same week -- which include 92 of the Fortune 100, the top 100 companies in the US....

The Y2020 bug, which has taken many payment and computer systems offline, is a long-lingering side effect of attempts to fix the Y2K, or millennium bug. Both stem from the way computers store dates. Many older systems express years using two numbers -- 98, for instance, for 1998 -- in an effort to save memory. The Y2K bug was a fear that computers would treat 00 as 1900, rather than 2000. Programmers wanting to avoid the Y2K bug had two broad options: entirely rewrite their code, or adopt a quick fix called "windowing", which would treat all dates from 00 to 20, as from the 2000s, rather than the 1900s. An estimated 80 percent of computers fixed in 1999 used the quicker, cheaper option. "Windowing, even during Y2K, was the worst of all possible solutions because it kicked the problem down the road," says Dylan Mulvin at the London School of Economics....

Another date storage problem also faces us in the year 2038. The issue again stems from Unix's epoch time: the data is stored as a 32-bit integer, which will run out of capacity at 3.14 am on 19 January 2038.

b-dayyy shared this overview from the Linux Security site: Strong encryption is imperative to securing sensitive data and protecting individuals' privacy online, yet governments around the world refuse to recognize this, and are continually aiming to break encryption in an effort to increase the power of their law enforcement agencies... This fear of strong, unbroken encryption is not only unfounded -- it is dangerous. Encryption with built-in backdoors which provide special access for select groups not only has the potential to be abused by law enforcement and government agencies by allowing them to eavesdrop on potentially any digital conversation, it could also be easily exploited by threat actors and criminals.

U.S. Attorney General William Barr and U.S. senators are currently pushing for legislation that would force technology companies to build backdoors into their products, but technology companies are fighting back full force. Apple and Facebook have spoken out against the introduction of encryption backdoors, warning that it would introduce massive security and privacy threats and would serve as an incentive for users to choose devices from overseas. Apple's user privacy manager Erik Neuenschwander states, "We've been unable to identify any way to create a backdoor that would work only for the good guys." Facebook has taken a more defiant stance on the issue, adamantly saying that it would not provide access to encrypted messages in Facebook and WhatsApp.

Senator Lindsey Graham has responded to this resistance authoritatively, advising the technology giants to "get on with it", and stating that the Senate will ultimately "impose its will" on privacy advocates and technologists. However, Graham's statement appears unrealistic, and several lawmakers have indicated that Congress won't make much progress on this front in 2020...

Encryption is an essential component of digital security that should be embraced, not feared. In any scenario, unencrypted data is subject to prying eyes. Strong, unbroken encryption is vital in protecting privacy and securing data both in transit and in storage, and backdoors would leave sensitive data vulnerable to tampering and theft.

An anonymous reader quotes a report from Wired: Facebook Pages give public figures, businesses, and other entities a presence on Facebook that isn't tied to an individual profile. The accounts behind those pages are anonymous unless a Page owner opts to make the admins public. You can't see, for example, the names of the people who post to Facebook on WIRED's behalf. But a bug that was live from Thursday evening until Friday morning allowed anyone to easily reveal the accounts running a Page, essentially doxing anyone who posted to one. All software has flaws, and Facebook quickly pushed a fix for this one -- but not before word got around on message boards like 4chan, where people posted screenshots that doxed the accounts behind prominent pages. All it took to exploit the bug was opening a target page and checking the edit history of a post. Facebook mistakenly displayed the account or accounts that made edits to each post, rather than just the edits themselves.

Facebook says the bug was the result of a code update that it pushed Thursday evening. Facebook points out that no information beyond a name and public profile link were available, but that information isn't supposed to appear in the edit history at all. And for people, say, running anti-regime Pages under a repressive government, making even that much information public is plenty alarming.

An anonymous reader quotes a report from Motherboard: Hackers are now getting telecom employees to run software that lets the hackers directly reach into the internal systems of U.S. telecom companies to take over customer cell phone numbers, Motherboard has learned. Multiple sources in and familiar with the SIM swapping community as well as screenshots shared with Motherboard suggest at least AT&T, T-Mobile, and Sprint have been impacted. The technique uses Remote Desktop Protocol (RDP) software. RDP lets a user control a computer over the internet rather than being physically in front of it. It's commonly used for legitimate purposes such as customer support. But scammers also make heavy use of RDP. In an age-old scam, a fraudster will phone an ordinary consumer and tell them their computer is infected with malware. To fix the issue, the victim needs to enable RDP and let the fake customer support representative into their machine. From here, the scammer could do all sorts of things, such as logging into online bank accounts and stealing funds.

This use of RDP is essentially what SIM swappers are now doing. But instead of targeting consumers, they're tricking telecom employees to install or activate RDP software, and then remotely reaching into the company's systems to SIM swap individuals. The process starts with convincing an employee in a telecom company's customer support center to run or install RDP software. The active SIM swapper said they provide an employee with something akin to an employee ID, "and they believe it." Hackers may also convince employees to provide credentials to a RDP service if they already use it. Once RDP is enabled, "They RDP into the store or call center [computer] [...] and mess around on the employees' computers including using tools," said Nicholas Ceraolo, an independent security researcher who first flagged the issue to Motherboard. Motherboard then verified Ceraolo's findings with the active SIM swapper.

A team of four Danish security researchers has disclosed this week a security flaw that impacts cable modems that use Broadcom chips. From a report: The vulnerability, codenamed Cable Haunt, is believed to impact an estimated 200 million cable modems in Europe alone, the research team said today. The vulnerability impacts a standard component of Broadcom chips called a spectrum analyzer. This is a hardware and software component that protects the cable modem from signal surges and disturbances coming via the coax cable. The component is often used by internet service providers (ISPs) in debugging connection quality. On most cable modems, access to this component is limited for connections from the internal network. The research team says the Broadcom chip spectrum analyzer lacks protection against DNS rebinding attacks, uses default credentials, and also contains a programming error in its firmware.

Security and encryption experts from around the world are joining a number of organizations to call on India to reconsider its proposed amendments to local intermediary liability rules. From a report: In an open letter to India's IT Minister Ravi Shankar Prasad on Thursday, 27 security and cryptography experts warned the Indian government that if it goes ahead with its originally proposed changes to the law, it could weaken security and limit the use of strong encryption on the internet. The Indian government proposed a series of changes to its intermediary liability rules in late December 2018 that, if enforced, would require millions of services operated by anyone from small and medium businesses to large corporate giants such as Facebook and Google to make significant changes.

The originally proposed rules say that intermediaries -- which the government defines as those services that facilitate communication between two or more users and have five million or more users in India -- will have to proactively monitor and filter their users' content and be able to trace the originator of questionable content to avoid assuming full liability for their users' actions. "By tying intermediaries' protection from liability to their ability to monitor communications being sent across their platforms or systems, the amendments would limit the use of end-to-end encryption and encourage others to weaken existing security measures," the experts wrote in the letter, coordinated by the Internet Society

Mozilla has warned Firefox users to update their browser to the latest version after security researchers found a vulnerability that hackers were actively exploiting in "targeted attacks" against users. From a report: The vulnerability, found by Chinese security company Qihoo 360, was found in Firefox's just-in-time compiler. The compiler is tasked with speeding up performance of JavaScript to make websites load faster. But researchers found that the bug could allow malicious JavaScript to run outside of the browser on the host computer. In practical terms, that means an attacker can quietly break into a victim's computer by tricking the victim into accessing a website running malicious JavaScript code. But Qihoo did not say precisely how the bug was exploited, who the attackers were, or who was targeted.

A Microsoft program to transcribe and vet audio from Skype and Cortana, its voice assistant, ran for years with "no security measures," according to a former contractor who says he reviewed thousands of potentially sensitive recordings on his personal laptop from his home in Beijing over the two years he worked for the company. From a report: The recordings, both deliberate and accidentally invoked activations of the voice assistant, as well as some Skype phone calls, were simply accessed by Microsoft workers through a web app running in Google's Chrome browser, on their personal laptops, over the Chinese internet, according to the contractor. Workers had no cybersecurity help to protect the data from criminal or state interference, and were even instructed to do the work using new Microsoft accounts all with the same password, for ease of management, the former contractor said. Employee vetting was practically nonexistent, he added.

"There were no security measures, I don't even remember them doing proper KYC [know your customer] on me. I think they just took my Chinese bank account details," he told the Guardian. While the grader began by working in an office, he said the contractor that employed him "after a while allowed me to do it from home in Beijing. I judged British English (because I'm British), so I listened to people who had their Microsoft device set to British English, and I had access to all of this from my home laptop with a simple username and password login." Both username and password were emailed to new contractors in plaintext, he said, with the former following a simple schema and the latter being the same for every employee who joined in any given year.

What's this one for? Who knows! Electronic gadgets fade away but their cables live on forever at home. From a report: There's a box that moved with Sarah Loveless and her husband from San Diego to Charleston, S.C., from Charleston to Dallas and from Dallas to Richland, Wash. The box, never unpacked, went into a closet or the garage each time. Contents: 20 to 30 electronics cords. "The box was just always a part of our life," says Ms. Loveless, 38. "It wasn't useful to us. We weren't doing anything with it except for moving it." Four years ago, they sorted through the box, paired a handful of cords with the respective devices and got rid of the rest. It was like having a weight lifted, she says and remembers thinking: "This isn't going to happen again. Why would we keep cords we don't need?" Then last summer, going through the garage, Ms. Loveless noticed a bag. "There is another collection of cords," she says. "I was just kind of, like, I thought we handled this. I thought this was in the past."

For as long as consumer electronics have existed, people have had a hard time ditching the old cords to expired and outdated devices. The TV sets, computers, printers, camcorders, VCRs, DVD players, MiniDisc players, BlackBerrys and iPods that the cords belonged to may not even be in their owner's possession. But the cords survive, squirreled away in drawers and bags and boxes. They might be useful someday, people tell themselves, even if some cords' purposes are lost to history. Henry Hall, of Bradenton, Fla., recalls going through his girlfriend's stuff after it came off the moving truck when she moved in with him in 2011. "There's this filing cabinet," says Mr. Hall, 34, a freelance artist who remembers her telling him: "That's just cords that I haven't sorted through."

In an apparent swipe at PayPal's recent $4 billion acquisition of Honey, a popular browser extension that tracks prices and discount codes, Amazon labeled the service as "a security risk" for shoppers over the holidays. Wired reports: "Honey tracks your private shopping behavior, collects data like your order history and items saved, and can read or change any of your data on any website you visit," the message read. "To keep your data private and secure, uninstall this extension immediately." It was followed by a hyperlink where users could learn how to do so. Screenshots of the warning were posted to forums and social media by Honey users, like Ryan Hutchins, an editor at Politico.

Honey isn't some obscure browser extension from an unknown developer. Founded in 2012, the Los Angeles-based startup now boasts over 17 million users. It finds discount codes to save shoppers money at tens of thousands of online retailers, including Amazon. Amazon's warning, which began appearing on December 20, confused and angered many of Honey's users, some of whom complained on its official social media channels. The browser extension has been compatible with Amazon since it was founded, and it is a significant part of Honey's appeal. Amazon declined to explain why it decided to label Honey a security risk so suddenly last month. "Our goal is to warn customers about browser extensions that collect personal shopping data without their knowledge or consent," a spokesperson for the company said in a statement. They declined to answer follow-up questions about the basis for that claim. Honey says in its privacy policy that it doesn't "track your search engine history, emails, or your browsing on any site that is not a retail website."

"We're aware that Droplist and other Honey features were not available on Amazon for a period of time. We know these are tools that people love and worked quickly to restore the functionality. Our extension is not -- and has never been -- a security risk and is safe to use," a Honey spokesperson said.

Low-end smartphones sold to Americans with low-income via a government-subsidized program contain unremovable malware, security firm Malware bytes said today in a report. From a report: The smartphone model is Unimax (UMX) U686CL, a low-end Android-based smartphone made in China and sold by Assurance Wireless, a cell phone service provider part of the Virgin Mobile group. The telco sells cell phones part of Lifeline, a government program that subsidizes phone service for low-income Americans. "In late 2019, we saw several complaints in our support system from users with a government-issued phone reporting that some of its pre-installed apps were malicious," Malwarebytes said in a report published today. The company said it purchased a UMX U686CL smartphone and analyzed it to confirm the reports it was receiving.

An anonymous reader quotes a report from Ars Technica: In April of 2019, Pulse Secure issued an urgent patch to a vulnerability in its popular corporate VPN software -- a vulnerability that not only allowed remote attackers to gain access without a username or password but also to turn off multi-factor authentication and view logs, usernames, and passwords cached by the VPN server in plain text. Now, a cybercriminal group is using that vulnerability to target and infiltrate victims, steal data, and plant ransomware.

Travelex, the foreign currency exchange and travel insurance company, appears to be the latest victim of the group. On New Year's Eve, the company was hit by Sodinokibi ransomware, also known as REvil. The ransomware operators contacted the BBC and said they want Travelex to pay $6 million. They also claimed to have had access to Travelex's network for six months and to have extracted five gigabytes of customer data -- including dates of birth, credit card information, and other personally identifiable information. "In the case of payment, we will delete and will not use that [data]base and restore them the entire network," the individual claiming to be part of the Sodinokibi operation told the BBC. "The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base." Security researcher Kevin Beaumont found that Travelex had seven unpatched Pulse Secure servers. An exploit for the vulnerability has been available on Internet bulletin boards since August of 2019.

Hackers are holding foreign exchange company Travelex to ransom after a cyber-attack forced the firm to turn off all computer systems and resort to using pen and paper. From a report: On New Year's Eve, hackers launched their attack on the Travelex network. As a result, the company took down its websites across 30 countries to contain "the virus and protect data." A ransomware gang called Sodinokibi has told the BBC it is behind the hack and wants Travelex to pay $6 million. The gang, also known as REvil, claims to have gained access to the company's computer network six months ago and to have downloaded 5GB of sensitive customer data. Dates of birth, credit card information and national insurance numbers are all in their possession, they say. The hackers said: "In the case of payment, we will delete and will not use that [data]base and restore them the entire network. "The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base."

Around half of the websites that use WebAssembly, a new web technology, use it for malicious purposes, according to academic research published last year. From a report: WebAssembly is a low-level bytecode language that was created after a joint collaboration between all major browser vendors. It introduces a new binary file format for transmitting code from a web server to a browser. Once it reaches the browser, WebAssembly code (Wasm) executes with near-native speed, similar to compiled C, C++, or Rust code. WebAssembly was created for both speed and performance. Due to its binary machine-friendly format, Wasm code is smaller than its equivalent JavaScript form, but also many times faster when executing. This has made WebAssembly the next incarnation of Adobe Flash, allowing websites to run complex CPU-intensive code without freezing a browser, a task for which JavaScript was never designed or optimized for.

An anonymous reader quotes a report from The New York Times: The encryption debate between Apple and the F.B.I. might have found its new test case. The F.B.I. said on Tuesday that it had asked Apple for the data on two iPhones that belonged to the gunman in the shooting last month at a naval base in Pensacola, Fla., possibly setting up another showdown over law enforcement's access to smartphones. Dana Boente, the F.B.I.'s general counsel, said in a letter to Apple that federal investigators could not gain access to the iPhones because they were locked and encrypted and their owner, Second Lt. Mohammed Saeed Alshamrani of the Saudi Royal Air Force, is dead. The F.B.I. has a search warrant for the devices and is seeking Apple's assistance executing it, the people said.

Apple said in a statement that it had given the F.B.I. all the data "in our possession" related to the Pensacola case when it was asked a month ago. "We will continue to support them with the data we have available," the company said. Apple regularly complies with court orders to turn over information it has on its servers, such as iCloud data, but it has long argued that it does not have access to material stored only on a locked, encrypted iPhone. Before sending the letter, the F.B.I. checked with other government agencies and its national security allies to see if they had a way into the devices -- but they did not, according to one of the people familiar with the investigation. "The official said the F.B.I. was not asking Apple to create a so-called backdoor or technological solution to get past its encryption that must be shared with the government," the report adds. "Instead, the government is seeking the data that is on the two phones, the official said."

"Apple has argued in the past that obtaining such data would require it to build a backdoor, which it said would set a dangerous precedent for user privacy and cybersecurity." Apple did not comment on the request.

Following in Mozilla's footsteps, Google announced today plans to hide notification popup prompts inside Chrome starting next month, February 2020. ZDNet reports: According to a blog post published today, Google plans to roll out a "quieter notification permission UI that reduces the interruptiveness of notification permission requests." The change is scheduled for Google Chrome 80, scheduled for release on February 4, next month.

Starting with Chrome 80 next month, Google's browser will also block most notification popups by default, and show an icon in the URL bar, similar to Firefox. When Chrome 80 launches next month, a new option will be added in the Chrome settings section that allows users to enroll in the new "quieter notification UI." Users can enable this option as soon as Chrome 80 is released, or they can wait for Google to enable it by default as the feature rolls out to the wider Chrome userbase in the following weeks. According to Google, the new feature works by hiding notification requests for Chrome users who regularly dismiss notification prompts. Furthermore, Chrome will also automatically block notification prompts on sites where users rarely accept notifications.

Microsoft's GitHub, Mozilla, and Cloudflare have urged India to be transparent about the amendments it is making to an upcoming law that could affect swathes of companies and the way more than half a billion people access information online. From a report: In December 2018, the Indian government proposed changes to its intermediary rules that would require any service that facilitates communication between two or more users and had more than 5 million users in India to set up a local office and have a senior executive in the nation who could be held responsible for any legal issues. The proposal also suggested that any of these services must be able to take down questionable content in within 24 hours and share the user data in within 72 hours of request. Technology giants such as Facebook, Google have so far enjoyed what is known as "safe harbor" laws. The laws, currently applicable in the U.S. under the Communications Decency Act and India through its 2000 Information Technology Act, say that tech platforms won't be held liable for the things their users share on the platform.

Several organizations have shared feedback and expressed concerned about the suggested changes in India's intermediary rules. In an open letter addressed to India's IT Minister Ravi Shankar Prasad on Tuesday, GitHub, Mozilla, and Cloudflare requested the Indian government to be more transparent about the final amendments it has drafted for the upcoming law. The Indian government has said previously that it would submit the final draft of the proposal to the nation's apex Supreme Court by January 15. But one of the concerning issues with the proposal is that nobody -- except for the government officials -- knows what is in the final draft.

Mozilla today launched Firefox 72 for Windows, Mac, Linux, and Android. Firefox 72 includes fingerprinting scripts blocked by default, less annoying notifications, and Picture-in-Picture video on macOS and Linux. There isn't too much else here, as Mozilla has now transitioned Firefox releases to a four-week cadence (from six to eight weeks).

Lucas123 writes: There is a growing movement among fintech companies, banks, healthcare services, universities and others toward disintermediating the control of online user identities in favor of supporting end-user controlled decentralized digital wallets based on P2P blockchain. Self-sovereign identity (SSI) is a term used to describe the digital movement that recognizes an individual should own and control their identity without intervening administrative authorities. The wallets would carry encryption keys provided by third parties and could be used to digitally sign transactions or provide access to verifying information, everything from bank-issued credit lines to diplomas -- all of which are controlled by the user through public key infrastructure (PKI). The blockchain ledger and PKI technology is hidden behind user-friendly mobile applications. Currently, there are more proof-of-concept projects than production systems involving a small number of organizations. The pilots, being trialed in government, financial services, insurance, healthcare, energy and manufacturing, don't yet amount to an entire ecosystem, but they will grow over the next few years, according to Gartner.

The UK's National Health System is getting £40m (about $52.3 million) to try reducing login times on its IT systems, "a move the government says could free up thousands of staffing hours a day as the saved seconds add up," according to the Guardian.

They note estimates that switching to a "single sign-on" system reduced login times from 105 seconds to just 10 at one hospital, ultimately saving them 130 staffing hours a day.

TheNinjaCoder shared their report: In a typical hospital, staff need to log in to as many as 15 systems when tending to a patient. As well as taking up time, the proliferation of logins requires staff either to remember multiple complex passwords or, more likely, compromise security by reusing the same one on every system. The health secretary, Matt Hancock, said: "It is frankly ridiculous how much time our doctors and nurses waste logging on to multiple systems. As I visit hospitals and GP practices around the country, I've lost count of the amount of times staff complain about this. It's no good in the 21st century having 20th-century technology at work.

"This investment is committed to driving forward the most basic frontline technology upgrades, so treatment can be delivered more effectively and we can keep pace with the growing demand on the NHS."

"One misstep from developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users," reports Bleeping Computer: Vulnerability hunter Vinoth Kumar reported the oversight on October 17 and close to three weeks later Starbucks responded it demonstrated "significant information disclosure" and that it qualified for a bug bounty... Along with identifying the GitHub repository and specifying the file hosting the API key, Kumar also provided proof-of-concept (PoC) code demonstrating what an attacker could do with the key. Apart from listing systems and users, adversaries could also take control of the Amazon Web Services (AWS) account, execute commands on systems, and add or remove users with access to the internal systems.

Once Starbucks was content with the remediation steps taken, the company paid Kumar a $4,000 bounty for the disclosure, which is the maximum reward for critical vulnerabilities. Most bounties from Starbucks are between $250-$375. The company solved 834 reports since launching the bug bounty program in 2016, and 369 of them were reported in the past three months. For them, Starbucks spent $40,000.

"A team of European law-enforcement officials was hot on the trail of a potential terror plot in October, fearing an attack during Christmas season, when their keyhole into a suspect's phone went dark," reports the Wall Street Journal: WhatsApp, Facebook Inc.'s popular messaging tool, had just notified about 1,400 users -- among them the suspected terrorist -- that their phones had been hacked by an "advanced cyber actor."

An elite surveillance team was using spyware from NSO Group, an Israeli company, to track the suspect, according to a law-enforcement official overseeing the investigation. A judge in the Western European country had authorized investigators to deploy all means available to get into the suspect's phone, for which the team used its government's existing contract with NSO. The country's use of NSO's spyware wasn't known to Facebook... WhatsApp's Oct. 29 message to users warned journalists, activists and government officials that their phones had been compromised, Facebook said. But it also had the unintended consequence of potentially jeopardizing multiple national-security investigations in Western Europe about which Facebook hadn't been alerted -- and about which government agencies can't formally complain, given their secret nature...

NSO has faced criticism for selling its products to government agencies in the Middle East, Mexico and India, which Facebook and human-rights research group Citizen Lab, among others, allege used them to spy on dissidents, religious leaders, journalists and political opponents. Among the 1,400 WhatsApp users notified in October, more than 100 fell into these categories, Citizen Lab said. The group, which is based at the University of Toronto's Munk School of Global Affairs and Public Policy, worked with Facebook on identifying these people... Citizen Lab has issued reports for several years linking NSO's spyware to governments with a history of human-rights abuses, and said that record should put NSO out of the running for government contracts from Western agencies, said Ronald Deibert, Citizen Lab's director. "What we have been trying to do with our research is to raise alarm bells...."

On the day WhatsApp sent its alert, the official overseeing the terror investigation in Western Europe said, he was stuck in traffic on his way to work when a call came in from Israel. "Have you seen the news? We've got a problem," he said he was told. WhatsApp was notifying suspects whom his team was tracking that their phones had been hacked. "No, that can't be right. Why would they do that?" the official said he asked his contact, thinking it a joke. The most immediate concern was a suspected terrorist investigators linked to Islamic State. They had received a tip he was part of a group plotting an attack around Christmas. Once they saw the suspect's phone receive WhatsApp's alert, the phone went dark, the official said. The sleuths soon lost access to the suspect's messages, the official said, indicating he had discarded or disabled the phone. "We only had that one phone," the official said.
Though that suspect was still under traditional surveillance, "He's not the only suspect we have to follow..." the official complained to the Wall Street Journal, adding that their counterparts in other Western European countries told him more than 10 other investigations "may have been" compromised by WhatsApp's alert.

The Journal also notes that tech companies "have come under growing pressure in the U.S. and Europe to give law enforcement a back door into encrypted messages. But they are also under fire for not doing enough to protect the privacy of their users and, in some jurisdictions, they have legal obligations to disclose security breaches."

"Iranian officials are likely considering a cyber-attack against the U.S. in the wake of an airstrike that killed one of its top military officials," reports Bloomberg: In a tweet after the airstrike on Thursday, Christopher Krebs, director of the U.S. Cybersecurity and Infrastructure Security Agency, repeated a warning from the summer about Iranian malicious cyber-attacks, and urged the public to brush up on Iranian tactics and to pay attention to critical systems, particularly industrial control infrastructure... John Hultquist, director of intelligence analysis at the cybersecurity firm FireEye Inc., said Iran has largely resisted carrying out attacks in the U.S. so far. But "given the gravity of this event, we are concerned any restraint they may have demonstrated could be replaced by a resolve to strike closer to home."

Iranian cyber-attacks have included U.S. universities and companies, operators of industrial control systems and banks. Iranian hackers tried to infiltrate the Trump campaign, and they have launched attacks against current and former U.S. government officials and journalists. The U.S., meanwhile, has employed cyberweapons to attack Iran's nuclear capabilities and computer systems used to plot attacks against oil tankers, according to the New York Times....

James Lewis, senior vice president at the Center for Strategic & International Studies, said Iranian retaliation may include the use of force, but the government is also likely asking hackers for a list of options. "Cyber-attacks may be tempting if they can find the right American target," Lewis said. "The Iranians are pretty capable and our defenses are uneven, so they could successfully attack poorly defensed targets in the U.S. There are thousands, but they would want something dramatic."
Mother Jones shares another perspective: There's little reason to think that Iran could pull off a truly spectacular attack, such as disabling major electric grids or other big utilities, said Robert M. Lee, an expert in industrial control systems security and the CEO of Dragos. "People should not be worried about large scale attacks and impacts that they can largely think about in movies and books like an electric grid going down." Instead, Iran might choose targets that are less prominent and less secure.

"The average citizen should not be concerned," he said, "but security teams at [U.S.] companies should be on a heightened sense of awareness."

New submitter jasonbuechler writes: Related to the Xiaomi post the other day, Google has entirely disabled Google Assistant/Home integration with Xiaomi devices pending further testing. Google issued the following statement:

Hi everyone,

Late night on January 1st, we were made aware of an issue where a Reddit user posted that their Nest Hub was able to access other people's Xiaomi camera feeds. We've been working with Xiaomi and we're comfortable that the issue was limited to their camera technology platform. While we worked on this issue with Xiaomi, we made the decision to disable all Xiaomi integrations on our devices. We understand this had a significant impact on users of Xiaomi devices but the security and privacy of our users is our priority and we felt this was the appropriate action.

We're re-enabling Xiaomi device integrations for everything but camera streaming after necessary testing has been completed. We will not reinstate camera functionality for Xiaomi devices until we are confident that the issue has been fully resolved. We'll keep you updated with information as more becomes available to share. UPDATE: Speaking to Engadget, Xiaomi says that the issue occurred due to a cache update, which made the stills pop up if a user had that camera and that display under poor network conditions. According to the company, only 1,044 users had this setup with a "few" experiencing the poor network connection that would make it appear, and they have fixed the issue on their end. The full statement is available on Engadget's report.

A reader shares a report from SciTechDaily: MIT mathematicians and engineers have developed a mathematical model that predicts how stable a knot is, based on several key properties, including the number of crossings involved and the direction in which the rope segments twist as the knot is pulled tight. "These subtle differences between knots critically determine whether a knot is strong or not," says Jorn Dunkel, associate professor of mathematics at MIT. "With this model, you should be able to look at two knots that are almost identical, and be able to say which is the better one." "Empirical knowledge refined over centuries has crystallized out what the best knots are," adds Mathias Kolle, the Rockwell International Career Development Associate Professor at MIT. "And now the model shows why."
[...]
In comparing the diagrams of knots of various strengths, the researchers were able to identify general "counting rules," or characteristics that determine a knot's stability. Basically, a knot is stronger if it has more strand crossings, as well as more "twist fluctuations" -- changes in the direction of rotation from one strand segment to another. For instance, if a fiber segment is rotated to the left at one crossing and rotated to the right at a neighboring crossing as a knot is pulled tight, this creates a twist fluctuation and thus opposing friction, which adds stability to a knot. If, however, the segment is rotated in the same direction at two neighboring crossing, there is no twist fluctuation, and the strand is more likely to rotate and slip, producing a weaker knot. They also found that a knot can be made stronger if it has more "circulations," which they define as a region in a knot where two parallel strands loop against each other in opposite directions, like a circular flow.

By taking into account these simple counting rules, the team was able to explain why a reef knot, for instance, is stronger than a granny knot. While the two are almost identical, the reef knot has a higher number of twist fluctuations, making it a more stable configuration. Likewise, the zeppelin knot, because of its slightly higher circulations and twist fluctuations, is stronger, though possibly harder to untie, than the Alpine butterfly -- a knot that is commonly used in climbing. The findings have been published in the journal Science.

An Arkansas-based telemarketing firm sent home more than 300 employees and told them to find new jobs after IT recovery efforts didn't go according to plan following a ransomware incident that took place at the start of October 2019. From a report: Employees of Sherwood-based telemarketing firm The Heritage Company were notified of the decision just days before Christmas, via a letter sent by the company's CEO. Speaking with local media, employees said they had no idea the company had even suffered a ransomware attack, and the layoffs were unexpected, catching many off guard. "Unfortunately, approximately two months ago our Heritage servers were attacked by malicious software that basically 'held us hostage for ransom' and we were forced to pay the crooks to get the 'key' just to get our systems back up and running," wrote Sandra Franecke, the company's CEO, in the letter sent to employees. She goes on to say that data recovery efforts, initially estimated at one week, have not gone according to plan and the company had failed to recover full service by Christmas. Franecke said the company lost "hundreds of thousands of dollars" because of the incident and have been forced to "restructure different areas in the company." As a result of the botched ransomware recovery process, the company's leadership decided to suspend all services, leaving more than 300 employees without jobs.