Operating Systems

Torvalds Calls For Calm as Bcachefs Filesystem Doesn't Make Linux 6.5 79

Posted by msmash from the tough-luck dept.
Linus Torvalds has delivered the first release candidate for version 6.5 of the Linux kernel, but warned this release may not go entirely smoothly. From a report: Torvalds's headline assessment of rc1 is "none of it looks hugely unusual." "The biggest single mention probably goes to what wasn't merged, with the bcachefs pull request resulting in a long thread (we didn't hit a hundred emails yet, but it's not far away)." As The Register reported in 2022, bcachefs is a filesystem that's been in development for nigh on a decade without being added to the kernel.

Kernel-watching outlet Phoronix on Sunday wrote that the filesystem is in good shape but debate over "code changes needed to the kernel outside of the kernel module itself" have proved contentious. As a result, conversation on the Linux kernel mailing list is "often becoming heated" when the topic turns to bcachefs. In his announcement post for rc1, Torvalds wrote "Let's calm this party down."
IT

Windows 95, 98, and Other Decrepit Versions Can Grab Online Updates Again (arstechnica.com) 48

Posted by msmash from the how-about-that dept.
An anonymous reader shares a report: If you have any interest in retro-computing, you know it can be difficult to round up the last official bug fixes and updates available for early Internet-era versions of Windows like 95, 98, and NT 4.0. A new independent project called "Windows Update Restored" is aiming to fix that, hosting lightly modified versions of old Windows Update sites and the update files themselves so that fresh installs of these old operating systems can grab years' worth of fixes that aren't present on old install CDs and disks. These old versions of Windows relied primarily on a Windows Update web app to function rather than built-in updaters like the ones used in current Windows versions. Microsoft took down the version of the site that could scan and update Windows 95 and 98 sometime in mid-2011. The Windows Update Restored site is a lightly modified version of Microsoft's original code, and the site itself doesn't use any kind of SSL or TLS encryption, so ancient Internet Explorer versions can still access it without modification. You'll need at least Internet Explorer 5 to access the Windows Update Restored update sites; that browser is no longer available directly from Microsoft, but the Windows Update Restored site offers download links to IE5 and IE5.5 in all supported languages.
United Kingdom

UK Battles Hacking Wave as Ransomware Gang Claims 'Biggest Ever' NHS Breach (techcrunch.com) 26

Posted by msmash from the security-woes dept.
The U.K.'s largest NHS trust has confirmed it's investigating a ransomware incident as the country's public sector continues to battle a rising wave of cyberattacks. From a report: Barts Health NHS Trust, which runs five London-based hospitals and serves more than 2.5 million patients, was recently added to the dark web leak site of the ALPHV ransomware gang. The gang, also known as BlackCat, says it has stolen 70 terabytes of sensitive data in what it claims is the biggest breach of healthcare data in the United Kingdom. Samples of the allegedly stolen data, seen by TechCrunch, include employee identification documents, including passports and driver licenses, and internal emails labeled "confidential."

When asked by TechCrunch, a Barts Health spokesperson did not dispute that it was affected by a security incident that involved the exfiltration of data, nor did they dispute the legitimacy of the stolen data samples shared by ALPHV. "We are aware of claims of a ransomware attack and are urgently investigating," the spokesperson, who did not provide their name, told TechCrunch.
IT

Big-Tech Cities Are Still 'Facing a Reckoning' from Remote Work (seattletimes.com) 170

Posted by EditorDavid from the we-built-this-city dept.
"According to the federal Bureau of Labor Statistics, nearly 73% of businesses reported that their workers rarely or never engaged in remote work in 2022 — closing in on pre-pandemic levels," writes a Seattle Times business columnist. "But this minority of the civilian workforce working remotely casts a large shadow over our economy, especially central business districts."

The column's headline argues that Seattle "is still facing the reckoning from remote work" — which may also be true in other big tech cities. Kastle Systems, which tracks back-to-the-office moves, estimated 49.8% occupancy as of late June. Kastle uses a 10-city average ranging from New York to Los Angeles but doesn't include Seattle. In the latest report, Houston led at nearly 61% occupancy. San Jose, Calif., in the heart of Silicon Valley, where remote work flourishes, was the lowest at 38%. As of May, 48% of workers in Seattle's central core have returned to the office compared with 2019, according to the Downtown Seattle Association. The most significant boost has come from Amazon, which mandated employees must work in the office at least three days a week.

So, you can be an offices-half-full or an offices-half-empty kind of person.

Still, Capital Economics, an independent research firm, estimated this past month that remote work will shave 35% from the value of the U.S. office sector. In addition, it predicted many office buildings won't return to their previous peak values until 2040 or later... As loans come due for commercial real estate properties, many cities face a reckoning. Refinancing is difficult with high interest rates. In some cases, buildings are worth less than the land they occupy. Foreclosures and defaults are rising. This is already spilling over to hurt sectors that are dependent on offices, such as architects, cleaning services, construction and others. The Wall Street Journal estimates this accounts for a "multibillion-dollar ecosystem."

As a result, many American cities are struggling to convert office buildings unlikely to see workers again into other uses, especially apartments. Rigid zoning and building codes, the footprint of the structures, and resistance from nearby homeowners to increased density all make this difficult. Seattle is facing some of the same challenges. Mayor Bruce Harrell announced a "call for ideas" to alter some of the city's office space to residential or other uses...

Several trend lines are moving in the right direction — return of workers, number of residents, visitors and hotel occupancy are all going up, and crime is going down, with violent crime and property crime down the first five months of the year compared with 2022. Downtown has seen a 13.8% decrease in violent crime and a 35.1% drop in property crime over the same period... To be sure, we're in undiscovered territory. But giving up on downtown Seattle is not an option. It accounts for the majority of the city's business taxes and majority of its workers...

Whether remote or hybrid work remains for much of the local workforce or a gradual return to the office continues, the heart of the city must be healthy.
Social Networks

As BotDefense Leaves 'Antagonistic' Reddit, Mods Fear Spam Overload (arstechnica.com) 68

Posted by EditorDavid from the annals-of-the-API-wars dept.
"The Reddit community is still reckoning with the consequences of the platform's API price hike..." reports Ars Technica.

"The latest group to announce its departure is BotDefense." BotDefense, which helps remove rogue submission and comment bots from Reddit and which is maintained by volunteer moderators, is said to help moderate 3,650 subreddits. BotDefense's creator told Ars Technica that the team is now quitting over Reddit's "antagonistic actions" toward moderators and developers, with concerning implications for spam moderation on some large subreddits like r/space.

BotDefense started in 2019 as a volunteer project and has been run by volunteer mods, known as "dequeued" and "abrownn" on Reddit. Since then, it claims to have populated its ban list with 144,926 accounts, and it helps moderate subreddits with huge followings, like r/gaming (37.4 million members), /r/aww (34.2 million), r/music (32.4 million), r/Jokes (26.2 million), r/space (23.5 million), and /r/LifeProTips (22.2 million). Dequeued told Ars that other large subreddits BotDefense helps moderates include /r/food, /r/EarthPorn, /r/DIY, and /r/mildlyinteresting. On Wednesday, dequeued announced that BotDefense is ceasing operations. BotDefense has already stopped accepting bot account submissions and will disable future action on bots. BotDefense "will continue to review appeals and process unbans for a minimum of 90 days or until Reddit breaks the code running BotDefense," the announcement said...

Dequeued, who said they've been moderating for nearly nine years, said Reddit's "antagonistic actions" toward devs and mods are the only reason BotDefense is closing. The moderator said there were plans for future tools, like a new machine learning system for detecting "many more" bots. Before the API battle turned ugly, dequeued had no plans to stop working on BotDefense...

[S]ubreddits that have relied on BotDefense are uncertain about managing their subreddits without the tool, and the tool's impending departure are new signs of a deteriorating Reddit community.
Ironically, Reddit's largest shareholder — Advance Publications — owns Ars Technica's parent company Conde Naste.

The article notes that Reddit "didn't respond to Ars' request for comment on BotDefense closing, how Reddit fights spam bots and karma farms, or about users quitting Reddit."
Bug

Researchers Discovered a New Linux Kernel 'StackRot' Privilege Escalation Vulnerability (thehackernews.com) 36

Posted by EditorDavid from the bad-bugs dept.
Wednesday Greg Kroah-Hartman announced the release of the 6.4.2 kernel. "All users of the 6.4 kernel series must upgrade."

The Hacker News reports: Details have emerged about a newly identified security flaw in the Linux kernel that could allow a user to gain elevated privileges on a target host. Dubbed StackRot (CVE-2023-3269, CVSS score: 7.8), the flaw impacts Linux versions 6.1 through 6.4. There is no evidence that the shortcoming has been exploited in the wild to date.

"As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger," Peking University security researcher Ruihan Li said. "However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. Consequently, exploiting this vulnerability is considered challenging."

Following responsible disclosure on June 15, 2023, it has been addressed in stable versions 6.1.37, 6.3.11, and 6.4.1 as of July 1, 2023, after a two-week effort led by Linus Torvalds. A proof-of-concept (PoC) exploit and additional technical specifics about the bug are expected to be made public by the end of the month.
ZDNet points out that Linux 6.4 "offers improved hardware enablement for ARM boards" and does a better job with the power demands of Steam Deck gaming devices. And "On the software side, the Linux 6.4 release includes more upstreamed Rust code. We're getting ever closer to full in-kernel Rust language support."

The Register also notes that Linux 6.4 also includes "the beginnings of support for Apple's M2 processors," along with support for hibernation of RISC-V CPUs, "a likely presage to such silicon powering laptop computers."
China

China's Workers and the Curse of (Turning) 35 (osu.edu) 61

Posted by EditorDavid from the unhappy-birthdays dept.
Long-time Slashdot reader 93 Escort Wagon writes: Age discrimination is something many tech workers think about — especially once they get into their 40s and 50s. But imagine what it would be like if you thought that every job in every field shunned you at an even earlier age. In China, you apparently don't have to imagine, the New York Times reports...

"When Sean Liang turned 30, he started thinking of the Curse of 35 — the widespread belief in China that white-collar workers like him confront unavoidable job insecurity after they hit that age. In the eyes of employers, the Curse goes, they're more expensive than new graduates and not as willing to work overtime.

Liang, now 38, is a technology support professional turned personal trainer. He has been unemployed for much of the past three years, partly because of the pandemic and China's sagging economy. But he believes the main reason is his age. He's too old for many employers, including the Chinese government, which caps the hiring age for most civil servant positions at 35. If the Curse of 35 is a legend, it's one supported by some facts."
"It's not clear how the phenomenon started, and it's hard to know how much truth there is to it," the article points out. But it also notes that age discrimination "is not against the law in China," which with a weak job market forms "a double whammy for workers in their mid-30s who are making big decisions about career, marriage and children...

"In 2022, the number of marriage registrations fell 10.5% from a year earlier, to the lowest number since China began disclosing the data in 1986. The country's birthrate fell to a low point last year, and its population shrank for the first time since 1961, the end of the Great Famine."
Social Networks

Cyberpunk 2077 Players Protest Reddit By Posting Nudes (kotaku.com) 52

Posted by msmash from the how-about-that dept.
Open-world sci-fi RPG Cyberpunk 2077's biggest subreddit recently switched to NSFW (not safe for work,) with the explanation that the game it is focused on is a mature game filled with nudity and gore. However, Reddit allegedly demanded that mods of the subreddit quickly revert the change. From a report: The mods aren't complying and users are now posting nude images of in-game characters as part of a protest to show why the subreddit deserves to be NSFW. Since May, Reddit has been at war with its users and subreddits as the company clamps down on third-party apps and their ability to access the site's backend or API. It's not gone well for Reddit, leading to popular subreddits like r/bestof, r/sports, and r/music going dark. And as part of this ongoing backlash, some subreddits switched to NSFW. This designation is reserved mainly for porn-y subreddits and blocks ads from appearing, but also lets users freely post nudity and more adult content.

Some mods and subreddits have used this designation to punch back at Reddit and its despised CEO. Now the Cyberpunk 2077 subreddit has seemingly wandered into this mess. According to a post from July 5 by moderator Tabnam, the decision to make the Cyberpunk 2077 subreddit NSFW was made because the game is "an 18+ game" and happened now because the mods had "never thought to change it until recently." Tabnam added that this subreddit should have already been NSFW. This decision apparently didn't go over well with Reddit.
Cellphones

France Passes New Bill Allowing Police To Remotely Activate Cameras On Citizens' Phones (gizmodo.com) 132

Posted by BeauHD from the remote-control dept.
An anonymous reader quotes a report from Gizmodo: Amidst ongoing protests in France, the country has just passed a new bill that will allow police to remotely access suspects' cameras, microphones, and GPS on cell phones and other devices. As reported by Le Monde, the bill has been criticized by the French people as a "snoopers" charter that allows police unfettered access to the location of its citizens. Moreover, police can activate cameras and microphones to take video and audio recordings of suspects. The bill will reportedly only apply to suspects in crimes that are punishable by a minimum of five years in jail and Justice Minister Eric Dupond-Moretti claimed that the new provision would only affect a few dozen cases per year. During a debate over the bill yesterday, French politicians added an amendment that orders judge approval for any surveillance conducted under the scope of the bill and limits the duration of surveillance to six months, according to Le Monde.

"For organized crime, the police can have access to the sound and image of a device. This concerns any connected device: telephone, speaker microphone, computer camera, computer system of a car... all without the knowledge of the persons concerned," French advocacy group La Quadrature du Net said in a statement on Twitter last month, machine translated by Gizmodo. "In view of the growing place of digital tools in our lives, accepting the very principle that they are transformed into police auxiliaries without our being aware of it poses a serious problem in our societies." In 2021, France passed a bill that would expand the French police force's ability to monitor civilians using drones -- all in an effort to protect officers from increasingly violent protestors, according to French President Emmanuel Macron.
Security

Actively Exploited Vulnerability Threatens Hundreds of Solar Power Stations (arstechnica.com) 23

Posted by BeauHD from the time-to-update dept.
An anonymous reader quotes a report from Ars Technica: Hundreds of Internet-exposed devices inside solar farms remain unpatched against a critical and actively exploited vulnerability that makes it easy for remote attackers to disrupt operations or gain a foothold inside the facilities. The devices, sold by Osaka, Japan-based Contec under the brand name SolarView, help people inside solar facilities monitor the amount of power they generate, store, and distribute. Contec says that roughly 30,000 power stations have introduced the devices, which come in various packages based on the size of the operation and the type of equipment it uses.

Searches on Shodan indicate that more than 600 of them are reachable on the open Internet. As problematic as that configuration is, researchers from security firm VulnCheck said Wednesday, more than two-thirds of them have yet to install an update that patches CVE-2022-29303, the tracking designation for a vulnerability with a severity rating of 9.8 out of 10. The flaw stems from the failure to neutralize potentially malicious elements included in user-supplied input, leading to remote attacks that execute malicious commands. Security firm Palo Alto Networks said last month the flaw was under active exploit by an operator of Mirai, an open source botnet consisting of routers and other so-called Internet of Things devices. The compromise of these devices could cause facilities that use them to lose visibility into their operations, which could result in serious consequences depending on where the vulnerable devices are used.

"The fact that a number of these systems are Internet facing and that the public exploits have been available long enough to get rolled into a Mirai-variant is not a good situation," VulnCheck researcher Jacob Baines wrote. "As always, organizations should be mindful of which systems appear in their public IP space and track public exploits for systems that they rely on." Baines said that the same devices vulnerable to CVE-2022-29303 were also vulnerable to CVE-2023-23333, a newer command-injection vulnerability that also has a severity rating of 9.8. Although there are no known reports of it being actively exploited, exploit code has been publicly available since February. Incorrect descriptions for both vulnerabilities are one factor involved in the patch failures, Baines said. Both vulnerabilities indicate that SolarView versions 8.00 and 8.10 are patched against CVE-2022-29303 and CVE-2023-293333. In fact, the researcher said, only 8.10 is patched against the threats.
Encryption

Security Researchers Latest To Blast UK's Online Safety Bill As Encryption Risk (techcrunch.com) 5

Posted by BeauHD from the heed-thy-warning dept.
An anonymous reader quotes a report from TechCrunch: Nearly 70 IT security and privacy academics have added to the clamor of alarm over the damage the U.K.'s Online Safety Bill could wreak to, er, online safety unless it's amended to ensure it does not undermine strong encryption. Writing in an open letter (PDF), 68 U.K.-affiliated security and privacy researchers have warned the draft legislation poses a stark risk to essential security technologies that are routinely used to keep digital communications safe.

"As independent information security and cryptography researchers, we build technologies that keep people safe online. It is in this capacity that we see the need to stress that the safety provided by these essential technologies is now under threat in the Online Safety Bill," the academics warn, echoing concerns already expressed by end-to-end encrypted comms services such as WhatsApp, Signal and Element -- which have said they would opt to withdraw services from the market or be blocked by U.K. authorities rather than compromise the level of security provided to their users. [...] "We understand that this is a critical time for the Online Safety Bill, as it is being discussed in the House of Lords before being returned to the Commons this summer," they write. "In brief, our concern is that surveillance technologies are deployed in the spirit of providing online safety. This act undermines privacy guarantees and, indeed, safety online."

The academics, who hold professorships and other positions at universities around the country -- including a number of Russell Group research-intensive institutions such as King's College and Imperial College in London, Oxford and Cambridge, Edinburgh, Sheffield and Manchester to name a few -- say their aim with the letter is to highlight "alarming misunderstandings and misconceptions around the Online Safety Bill and its interaction with the privacy and security technologies that our daily online interactions and communication rely on." "There is no technological solution to the contradiction inherent in both keeping information confidential from third parties and sharing that same information with third parties," the experts warn, adding: "The history of 'no one but us' cryptographic backdoors is a history of failures, from the Clipper chip to DualEC. All technological solutions being put forward share that they give a third party access to private speech, messages and images under some criteria defined by that third party."

Last week, Apple publicly voiced its opposition to the bill. The company said in a statement: "End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists, and diplomats. It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches. The Online Safety Bill poses a serious threat to this protection, and could put UK citizens at greater risk. Apple urges the government to amend the bill to protect strong end-to-end encryption for the benefit of all."
Firefox

Firefox 115 Released (mozilla.org) 61

Posted by msmash from the moving-forward dept.
williamyf writes: Today, Mozilla released Firefox 115. Changes most visible to users include:

* Hardware video decoding is now enabled for Intel GPUs on Linux..

* Migrating from another browser? Now you can bring over payment methods you've saved in Chrome-based browsers to Firefox.

* The Tab Manager dropdown now features close buttons, so you can close tabs more quickly.

* The Firefox for Android address bar's new search button allows you to easily switch between search engines and search your bookmarks and browsing history.

* We've refreshed and streamlined the user interface for importing data in from other browsers.

* Users without platform support for H264 video decoding can now fallback to Cisco's OpenH264 plugin for playback.

But the most important feature is that this release is the new ESR. Why this is important? y'all ask, well:

* Many a "downstream" project depends on Firefox ESR, for example the famous email client Thunderbird, or KaiOS (a mobile OS very popular in India, SE Asia, Africa and LatAm), so, for better or worse, whatever made it to (or is lacking from) this version of the browser, those projects have to use for the next year.

* Firefox ESR is the default browser of many distros, like Debian and Kali Linux, so, whatever made it to this version will be there for next year, ditto to whatever is lacking.

* If you are on old -- unsupported OSs, like Windows 7, 8-8.1 or MacOS 10.14 (Mojave, the last MacOS with support for 32 Bit Apps), 10.13 or 10.12 you will automatically be migrated to Firefox ESR, so this will be your browser until Sept. 2024.
Security

336,000 Servers Remain Unpatched Against Critical Fortigate Vulnerability (arstechnica.com) 23

Posted by BeauHD from the what-are-you-waiting-for dept.
An anonymous reader quotes a report from Ars Technica: Researchers say that nearly 336,000 devices exposed to the Internet remain vulnerable to a critical vulnerability in firewalls sold by Fortinet because admins have yet to install patches the company released three weeks ago. CVE-2023-27997 is a remote code execution in Fortigate VPNs, which are included in the company's firewalls. The vulnerability, which stems from a heap overflow bug, has a severity rating of 9.8 out of 10. Fortinet released updates silently patching the flaw on June 8 and disclosed it four days later in an advisory that said it may have been exploited in targeted attacks. That same day, the US Cybersecurity and Infrastructure Security Administration added it to its catalog of known exploited vulnerabilities and gave federal agencies until Tuesday to patch it.

Despite the severity and the availability of a patch, admins have been slow to fix it, researchers said. Security firm Bishop Fox on Friday, citing data retrieved from queries of the Shodan search engine, said that of 489,337 affected devices exposed on the internet, 335,923 of them -- or 69 percent -- remained unpatched. Bishop Fox said that some of the vulnerable machines appeared to be running Fortigate software that hadn't been updated since 2015. "Wow -- looks like there's a handful of devices running 8-year-old FortiOS on the Internet," Caleb Gross, director of capability development at Bishop Fox, wrote in Friday's post. "I wouldn't touch those with a 10-foot pole."
IT

The Link Rot Spreads: GIF-hosting Site Gfycat Shutting Down Sept. 1 (arstechnica.com) 27

Posted by msmash from the another-bites-dust dept.
Gfycat, a place where users uploaded, created, and distributed GIFs of all sorts, is shutting down as of Sept. 1, according to a message on its homepage. From a report: Users of the Snap-owned service are asked to "Please save or delete your Gfycat content." "After September 1, 2023, all Gfycat content and data will be deleted from gfycat.com." Gfycat rose as a service during a period where, like Imgur, it was easier to use than any native tools provided by content sites like Facebook or Reddit.

As CEO and co-founcer Richard Rabbat told TechCrunch in 2016, after raising $10 million from investors, GIFs were "hard to make, slow to upload, and when you shared them, the quality wasn't very good." Gfycat created looped, linked Webm videos that, while compressed, retained an HD quality to them. They were easier to share than actual GIF-format files, and offered an API for other sites to tap in. "I see Gfycat as the ultimate platform for all short-form content, the way that YouTube is the platform for longer videos and Twitter is the platform for text-based news and media discussions," VC funder Ernestine Fu told TechCrunch in 2016, long before TikTok, YouTube shorts, and Elon Musk's Twitter ownership came to pass.
Security

Despite Amazon Ban, Flipper Zero's 'Multi-Tool Device for Hackers' On Track for $80M in Sales (techcrunch.com) 80

Posted by EditorDavid from the Kickstarted dept.
The company behind Flipper Zero expects $80 million in sales this year, which ZDNet estimates at around 500,000 unit sales.

In its Kickstarter days the company sold almost $5 million as preorders, remembers TechCrunch, and the company claims it sold $25 million worth of the devices last year: So what are they selling? Flipper Zero is a "portable gamified multi-tool" aimed at everyone with an interest in cybersecurity, whether as a penetration tester, curious nerd or student — or with more nefarious purposes. The tool includes a bunch of ways to manipulate the world around you, including wireless devices (think garage openers), RFID card systems, remote keyless systems, key fobs, entry to barriers, etc. Basically, you can program it to emulate a bunch of different lock systems.

The system really works, too — I'm not much of a hacker, but I've been able to open garages, activate elevators and open other locking systems that should be way beyond my hacking skill level. On the one hand, it's an interesting toy to experiment with, which highlights how insecure much of the world around us actually is. On the other hand, I'm curious if it's a great idea to have 300,000+ hacking devices out in the wild that make it easy to capture car key signals and gate openers and then use them to open said apertures.
The company points out that their firmware is open source, and can be inspected by anyone.

ZDNet calls it "incredibly user-friendly" and "a fantastic educational tool and a stepping stone to get people — young and old — into cybersecurity," with "a very active community of users that are constantly finding new things to do with it". (Even third-party operating systems are available).

"Instead of looking like some scary hacking tool, all black and bristling with antennas, it looks like a kid's toy, all plastic and brightly colored," writes ZDNet. "It reminds me of Tamagotchis..."

Thanks to Slashdot reader ZipNada for suggesting the article.
Education

Schools Say US Teachers' Retirement Fund Was Breached By MOVEit Hackers (techcrunch.com) 15

Posted by BeauHD from the mass-hacks dept.
An anonymous reader quotes a report from TechCrunch: Two U.S. schools have confirmed that TIAA, a nonprofit organization that provides financial services for individuals in academic fields, has been caught up in the mass-hacks targeting MOVEit file transfer tools. Middlebury College in Vermont and Trinity College in Connecticut both released security notices confirming they experienced data breaches as a result of a security incident at the Teachers Insurance and Annuity Association of America, or TIAA. According to its website, TIAA serves mire than five million active and retired employees participating at more than 15,000 institutions and manages $1.3 trillion in assets in more than 50 countries.

Both of the security notices confirm that TIAA was affected by hackers' widespread exploitation of a flaw in MOVEit Transfer, an enterprise file transfer tool developed by Progress Software. The mass-hack has so far claimed more than 160 victims, according to Emsisoft threat analyst Brett Callow, including the U.S. Department of Health and Human Services (HHS) and Siemens Energy. Only 12 of these victims have confirmed the number of people affected, which already adds up to more than 16 million individuals.

While TIAA notified affected schools of its security incident, the organization has yet to publicly acknowledge the incident. In response to a Twitter user questioning the organization's silence, TIAA responded saying that its offices were closed. It's not yet known how many organizations have been impacted as a result of the cyberattack on TIAA. TIAA has not yet been listed on the dark web leak site of the Russia-linked Clop ransomware gang, which has claimed responsibility for the ongoing MOVEit cyberattacks.
Security

TSMC Says Some Of Its Data Was Swept Up in a Hack on a Hardware Supplier (arstechnica.com) 1

Posted by msmash from the PSA dept.
Chipmaker TSMC said on Friday that one of its hardware suppliers experienced a "security incident" that allowed the attackers to obtain configurations and settings for some of the servers the company uses in its corporate network. From a report: The disclosure came a day after the LockBit ransomware crime syndicate listed TSMC on its extortion site and threatened to publish the data unless it received a payment of $70 million. The hardware supplier, Kinmax Technology, confirmed that one of its test environments had been attacked by an external group, which was then able to retrieve configuration files and other parameter information. The company said it learned of the breach on Thursday and immediately shut down the compromised systems and notified the affected customer.

"Since the above information has nothing to do with the actual application of the customer, it is only the basic setting at the time of shipment," Kinmax officials wrote. "At present, no damage has been caused to the customer, and the customer has not been hacked by it." In an email, a TSMC representative wrote, "Upon review, this incident has not affected TSMC's business operations, nor did it compromise any TSMC's customer information. After the incident, TSMC has immediately terminated its data exchange with this supplier in accordance with the Company's security protocols and standard operating procedures." The statement didn't say if TSMC has been contacted by the attackers or if it plans to pay the ransom.
Piracy

French Govt Wants To Inject Domain Blocking Lists Directly Into Web Browsers (torrentfreak.com) 82

Posted by msmash from the France's-browser-babysitters dept.
Online piracy, now being linked with malware, identity theft, and banking fraud, has prompted a coordinated concerning campaign for tougher legislation beyond copyright laws. The French government, news website TorrentFreak reports, is considering an ambitious approach: integrating state-operated domain blacklists into web browsers. This step is well-intentioned, indicating an evolving strategy in battling piracy.
IT

Atom Feed Format Was Born 20 Years Ago (rssboard.org) 5

Posted by msmash from the feeding-frenzy dept.
RSS Advisory Board: This month marks the 20th anniversary of the effort that became the Atom feed format. It all began on June 16, 2003, with a blog post from Apache Software Foundation contributor Sam Ruby asking for feedback about what constitutes a well-formed blog entry. The development of RSS 2.0 had been an unplanned hopscotch from a small group at Netscape to a smaller one at UserLand Software, but Atom was a barn raising. Hundreds of software developers, web publishers and technologists gathered for a discussion in the abstract that led to a concrete effort to build a well-specified syndication format and associated publishing API that could become Internet standards. Work was done on a project wiki that grew to over 1,500 pages. Everything was up for a vote, including a plebiscite on choosing a name that ballooned into a four-month-long bikeshed discussion in which Pie, Echo, Wingnut, Feedcast, Phaistos and several dozen alternatives finally, mercifully, miraculously lost out to Atom.

The road map of the Atom wiki lists the people, companies and projects that jumped at the chance to create a new format for feeds. XML specification co-author Tim Bray wrote: "The time to write it all down and standardize it is not when you're first struggling to invent the technology. We now have aggregators and publishing systems and search engines and you-name-it, and I think the community collectively understands pretty well what you need, what you don't need, and what a good syntax looks like. So, now's the time."
Security

High School in Illinois Changes Every Student's Password To 'Ch@ngeme!' (techcrunch.com) 77

Posted by msmash from the oops dept.
After a cybersecurity audit mistakenly reset everyone's password, a high school changed every student's password to "Ch@ngeme!" giving every student the chance to hack into any other student's account, according to emails obtained by TechCrunch. From the report: Last week, Oak Park and River Forest (OPRF) High School in Illinois told parents that during a cybersecurity audit, "due to an unexpected vendor error, the system reset every student's password, preventing students from being able to log in to their Google account."

"To fix this, we have reset your child's password to Ch@ngeme! so that they can once again access their Google account. This password change will take place beginning at 4 p.m. today," the school, which has around 3,000 students, wrote in an email dated June 22. "We strongly suggest that your child update this password to their own unique password as soon as possible."
Security

SEC Notice To SolarWinds CISO and CFO Roils Cybersecurity Industry (csoonline.com) 34

Posted by msmash from the how-about-that dept.
The US Securities and Exchange Commission has roiled the cybersecurity industry by putting executives of SolarWind on notice that it may pursue legal action for violations of federal law in connection with their response to the 2020 attack on the company's infrastructure that affected thousands of customers in government agencies and companies globally. From a report: Current and former employees and officers of the company, including the chief financial officer (CFO) and chief information security officer (CISO), have received so-called Wells Notices notices from the SEC staff, in connection with the investigation of the 2020 cyberattack, the company said in an SEC filing.

"The Wells Notices provided to these individuals each state that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws," SolarWinds said in its filing. A Wells Notice is neither a formal charge of wrongdoing nor a final determination that the recipient has violated any law, SolarWinds noted. However, if the SEC does pursue legal action and prevails in a lawsuit, there could be various consequences.
Social Networks

Minecraft's Devs Exit its 7 Million-Strong Subreddit After Reddit's Ham-Fisted Crackdown on Protest (pcgamer.com) 91

Posted by msmash from the how-about-that dept.
An anonymous reader shares a report: If you want official updates from the Minecraft dev team, you better not look on Reddit. A post from a Reddit user bearing the name sliced_lime and a flair indicating they are the Minecraft Java Tech Lead (almost certainly Mojang's Mikael Hedberg) announced yesterday that Mojang would no longer be posting official content to Reddit, in the wake of that platform's response to protests over changes to its API. "As you have no doubt heard by now, Reddit management introduced changes recently that have led to rule and moderation changes across many subreddits," read the post, before announcing that those changes have led Mojang to "no longer feel that Reddit is an appropriate place to post official content or refer [its] players to".

The events are only obliquely referred to in the post, but it seems the move has been sparked by Reddit's crackdown on protests against recent changes to its API that would, in essence, kill off third-party apps that let users access the site. Subreddit mods have spent the last few weeks mounting various campaigns against Reddit's corporate leadership, either "going dark" by turning the subreddits they oversee into private, invite-only communities or else marking them as NSFW, meaning Reddit can't sell ads on those pages. Reddit responded by pressuring disgruntled mods, and in some cases ousting and trying to replace them.
Privacy

LetMeSpy, a Phone Tracking App Spying On Thousands, Says It Was Hacked (techcrunch.com) 18

Posted by BeauHD from the fate-loves-irony dept.
An anonymous reader quotes a report from TechCrunch: A hacker has stolen the messages, call logs and locations intercepted by a widely used phone monitoring app called LetMeSpy, according to the company that makes the spyware. The phone monitoring app, which is used to spy on thousands of people using Android phones around the world, said in a notice on its login page that on June 21, "a security incident occurred involving obtaining unauthorized access to the data of website users." "As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts," the notice read.

LetMeSpy is a type of phone monitoring app that is marketed for parental control or employee monitoring. The app is also specifically designed to stay hidden on a phone's home screen, making it difficult to detect and remove. Also known as stalkerware or spouseware, these kinds of phone monitoring apps are often planted by someone -- such as spouses or domestic partners -- with physical access to a person's phone, without their consent or knowledge. Once planted, LetMeSpy silently uploads the phone's text messages, call logs, and precise location data to its servers, allowing the person who planted the app to track the person in real-time.

Polish security research blog Niebezpiecznik first reported the breach. When Niebezpiecznik contacted the spyware maker for comment, the hacker reportedly responded instead, claiming to have seized wide access to the spyware maker's domain. It's not clear who is behind the LetMeSpy hack or their motives. The hacker intimated that they deleted LetMeSpy's databases stored on the server. A copy of the hacked database also appeared online later the same day. TechCrunch reviewed the leaked data, which included years of victims' call logs and text messages dating back to 2013. The database we reviewed contained current records on at least 13,000 compromised devices, though some of the devices shared little to no data with LetMeSpy. (LetMeSpy claims to delete data after two months of account inactivity.)
Encryption

Apple Joins Opposition in UK To Encrypted Message App Scanning (bbc.com) 40

Posted by msmash from the tussle-continues dept.
Apple has criticised powers in the UK's Online Safety Bill that could be used to force encrypted messaging tools like iMessage, WhatsApp and Signal to scan messages for child abuse material. From a report: Its intervention comes as 80 organisations and tech experts have written to Technology Minister Chloe Smith urging a rethink on the powers. Apple told the BBC the bill should be amended to protect encryption. End-to-end encryption (E2EE) stops anyone but the sender and recipient reading the message. Police, the government and some high-profile child protection charities maintain the tech -- used in apps such as WhatsApp and Apple's iMessage -- prevents law enforcement and the firms themselves from identifying the sharing of child sexual abuse material.

But in a statement Apple said: "End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists, and diplomats. "It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches. The Online Safety Bill poses a serious threat to this protection, and could put UK citizens at greater risk. "Apple urges the government to amend the bill to protect strong end-to-end encryption for the benefit of all."
Encryption

3-Year Probe Into Encrypted Phones Led To Seizure of Hundreds of Tons of Drugs, Prosecutors Say (apnews.com) 60

Posted by msmash from the closer-look dept.
Investigations triggered by the cracking of encrypted phones three years ago have so far led to more than 6,500 arrests worldwide and the seizure of hundreds of tons of drugs, French, Dutch and European Union prosecutors said Tuesday. From a report: The announcement underscored the staggering scale of criminality -- mainly drugs and arms smuggling and money laundering -- that was uncovered as a result of police and prosecutors effectively listening in to criminals using encrypted EncroChat phones. "It helped to prevent violent attacks, attempted murders, corruption and large-scale drug transports, as well as obtain large-scale information on organised crime," European Union police and judicial cooperation agencies Europol and Eurojust said in a statement.

The French and Dutch investigation gained access to more than 115 million encrypted communications between some 60,000 criminals via servers in the northern French town of Roubaix, prosecutors said at a news conference in the nearby city of Lille. As a result, 6,558 suspects have been arrested worldwide, including 197 "high-value targets." Seized drugs included 30.5 million pills, 103.5 metric tons (114 tons) of cocaine, 163.4 metric tons (180 tons) of cannabis and 3.3 metric tons (3.6 tons) of heroin. The investigations also led to nearly 740 million euros ($809 million) in cash being recovered and assets or bank accounts worth another 154 million euros ($168 million) frozen.
Security

Smartwatches Are Being Used To Distribute Malware (defensenews.com) 17

Posted by BeauHD from the don't-turn-it-on dept.
"Smartwatches are being sent to random military members loaded with malware, much like malware distribution via USB drives in the past," writes longtime Slashdot reader frdmfghtr. "Recipients are advised not to turn them on and report the incident to their local security office." Defense News reports: The Department of the Army Criminal Investigation Division, or CID, in an announcement last week warned the watches may contain malware, potentially granting whoever sent the peripherals "access to saved data to include banking information, contacts, and account information such as usernames and passwords."

A more innocuous tactic may also be to blame: so-called brushing, used in e-commerce to boost a seller's ratings through fake orders and reviews. The CID, an independent federal law enforcement agency consisting of thousands of personnel, did not say exactly how many smartwatches were so far distributed.
Crime

Twitter Hacker Who Turned Celebrity Accounts Into Crypto Shills Gets Prison Sentence (gizmodo.com) 14

Posted by BeauHD from the chapter-coming-to-a-close dept.
An anonymous reader quotes a report from Gizmodo: One of the cybercriminals behind 2020's major Twitter hack was sentenced to five years in U.S. federal prison on Friday. Joseph O'Connor (AKA "PlugwalkJoe"), a 24-year-old British citizen, previously pleaded guilty to seven charges associated with the digital attack. He was arrested in Spain in 2021 and extradited to the U.S. in April of this year. In addition to the five years of jail time, O'Connor was also sentenced to three additional years under supervised release and ordered to pay back more than $790,000 in illicitly obtained funds, according to a news release from the U.S. Attorney's Office of the Southern District of New York. Previously, Graham Ivan Clark, another one of the hackers involved who was 17 at the time of the attack, pleaded guilty to related charges and was sentenced to three years in prison.

With all charges combined, O'Connor faced a maximum of 77 years in prison, per a Reuters report, while prosecutors called for a seven-year sentence. Ultimately, he will likely only serve about half of his five years, after having already spent nearly 2.5 years in pre-trial custody, Judge Jed S. Rakoff said during the Friday hearing, according to TechCrunch. Along with his fellow hackers, O'Connor "used his sophisticated technological abilities for malicious purposes -- conducting a complex SIM swap attack to steal large amounts of cryptocurrency, hacking Twitter, conducting computer intrusions to take over social media accounts, and even cyberstalking two victims, including a minor victim," according to a previous statement given by prosecuting U.S. Attorney Damian Williams. [...]

An investigation by the New York State Department of Financial Services determined that the breach was made possible because Twitter "lacked adequate cybersecurity protections," according to an October 2020 report. O'Connor and co were able to gain access to the social platform's internal systems through a simple scheme of calling Twitter employees posing as the company IT department. They were able to trick four Twitter workers into providing their login credentials. The FBI launched its own investigation, which found that O'Connor and his co-conspirators had managed to transfer account ownership to unauthorized users -- sometimes themselves, and sometimes to others willing to pay for the accounts. O'Connor himself paid $10,000 to take over one specific, unnamed account, according to a Department of Justice press statement from May. In addition to the Twitter hack, O'Connor also pleaded guilty to stealing nearly $800,000 from a crypto company by SIM swapping at least three executives' phone numbers. He further admitted to blackmailing an unnamed public figure via Snapchat and swatting a 16-year-old girl.
Australia

Turn Your Phone Off Every Night For Five Minutes, Australian PM Tells Residents (theguardian.com) 126

Posted by msmash from the how-about-that dept.
Australia's prime minister, Anthony Albanese, has told residents they should turn their smartphones off and on again once a day as a cybersecurity measure -- and tech experts agree. From a report: Albanese said the country needed to be proactive to thwart cyber risks, as he announced the appointment of Australia's inaugural national cybersecurity coordinator. "We need to mobilise the private sector, we need to mobilise, as well, consumers," the prime minister said on Friday. "We all have a responsibility. Simple things, turn your phone off every night for five minutes. For people watching this, do that every 24 hours, do it while you're brushing your teeth or whatever you're doing." The Australian government's advice is not new. In 2020, the United State's National Security Agency issued best-practice guidelines for mobile device security, which included rebooting smartphones once a week to prevent hacking.
Stats

Working From Home 'A Permanent Shift', New US Data Suggests (msn.com) 149

Posted by EditorDavid from the avoiding-offices dept.
An anonymous reader shared this report from the Washington Post: Working from home appears to be here to stay, especially for women and college-educated workers, according to economic data released Thursday that revealed how Americans spent their time in 2022. The data, from the American Time Use Survey (ATUS), suggests that the pandemic changes that upended the workplace, family life and social interactions continue to have a lasting effect on life in the United States.

Many white-collar workers who hunkered down at home during pandemic shutdowns have returned to the office, but extraordinarily high numbers have not. For many, remote work appears to be a new normal... Working from home "is a permanent shift," said Julia Pollak, chief economist at ZipRecruiter. "We're now seeing many companies start as remote-first companies." The new data is a "continuation of what we've been seeing" in the American workforce, she said...

The annual survey by the Bureau of Labor Statistics and the Census Bureau asks thousands of Americans how they spent the past 24 hours of their lives across different categories of activities. Results from 2019 through 2021 showed that the pandemic dramatically shifted how much time people spend working at home. The new data suggests those changes persisted through 2022, even as much of life returned to normal as more people got vaccinated and boosted against the coronavirus, and case counts fell...

There is a clear benefit to remote work for employees, Pollak said. Working from home saves time and money on commuting, and many employees want the flexibility to work from anywhere, to better support their parents or children. She said remote work also is "part of the reason for this huge spike in new business formation. It has lowered the barriers to starting a business."
The 2022 figures show 34% of workers over the age of 15 still said they were working at home — and 54% of workers with a workers with a bachelor's degree or higher. (Meanwhile, workers without a high school diploma "were even less likely to work from home in 2022 than they were before the pandemic.")

The Post also reports another interesting finding in the data. "Americans ages 20 to 24 are the only group that spent more time socializing than before the pandemic. Teenagers, and adults ages 55 to 64, reported an overall decline in time spent socializing since before the pandemic."
IT

San Francisco Mayor: Tear Down Abandoned Retail Spaces Downtown (cnn.com) 118

Posted by EditorDavid from the raze-and-shine dept.
On Thursday San Francisco's mayor London Breed "proposed remaking the city's struggling downtown by tearing down abandoned retail space..." reports CNN, "and building new structures to reshape the struggling city..." Breed's comments come as San Francisco faces empty offices, a cratering commercial real estate market, and an exodus of retailers from its once-bustling downtown area, especially as pandemic work-from-home policies saw many residents leaving for less expensive parts of the country... Breed argued that an overall shift to online shopping post-pandemic has contributed to declining foot traffic in the area.

"You can convert certain spaces. A Westfield Mall could become something completely different than what it currently is," she said. "We can even tear down the whole building and build a whole new soccer stadium. We can create lab space or look at it as another company in some other capacity," she added...

Many tech companies in the city were quick to switch to remote work or flexible hybrid policies over the last few years, resulting in many workers filtering out of the city. Office vacancies in San Francisco have reached a 30-year high, negatively impacting the city's commercial real estate market and local retailers and restaurants, which have experienced declining sales and foot traffic. "Would I like for everyone to come back to the office five days a week? Of course, I would. But is that going to happen? Probably not. So, let's make some adjustments to do everything we can to reimagine what parts of San Francisco can be," Breed said.
Communications

Eight Teams of Hackers Will Compete To Breach U.S. Satellite In Space (newsweek.com) 9

Posted by BeauHD from the capture-the-flag dept.
In August, white-hat hackers at the DEFCON hacker convention will compete to try and breach the computer systems on a satellite in orbit. It took four years, but "this year, we are in space for real," said Steve Colenzo, Technology Transfer Lead for the Air Force Research Laboratory's Information Directorate in Rome, New York, and one of the contest organizers. From a report: Hack-A-Sat 4, taking place live at DEFCON Aug. 10-13 in Las Vegas, will be the first-ever hacking contest staged on a vehicle in orbit. In previous years, the contests used genuine working satellite hardware, but running safely on the ground. [...] Hack-A-Sat 4 is an attack/defend contest in which teams compete to hack each other's systems while defending their own. It is being staged by the Air Force Research Laboratory and the U.S. Space Force. More than 380 teams signed up for the qualification round in April, and the eight top-scoring ones, which include contestants from Australia, Germany, Italy and Poland, as well as the U.S., will participate in the finals at DEFCON.

"We always knew our objective was to do this in space," Colenzo said. But when, back in 2020, organizers asked satellite operators if they could stage a hacking contest on their space assets, "The answer, and there was really no hesitation, the answer was always no." Hack-A-Sat organizers realized that, if they wanted to reach their objective of staging such a contest in space, they would have to launch their own satellite, Colenzo said. The Moonlighter satellite was launched on a SpaceX rideshare rocket to the International Space Station June 5 by the U.S. government-backed non-profit The Aerospace Corporation. It's a foot-long toaster-sized cubesat satellite with extendable solar panels.

If all goes according to plan, Moonlighter will be deployed into orbit early in July, Project leader Aaron Myrick told Newsweek. Moonlighter is designed to be hacked, he said, and there are numerous safety measures in place. "The first thing that we said was that propulsion was off the table," Moonlighter can't change its own orbit, which might make it a hazard to other satellites. And its ground controllers have the ability to reboot the system, kicking out any intruders and restoring their control.
Security

Hospital Cyber Attacks Surge, Risking Struggling Bottom Lines (bloomberg.com) 40

Posted by msmash from the growing-concern dept.
Cyberattacks on US hospitals are on the rise, adding a layer of financial pressure onto an industry still struggling to recover from the pandemic. From a report: Health facilities have been hit with 226 digital incursions affecting 36 million people this year, on track to be more widespread than 2022 attacks, according to John Riggi, the national advisor for cybersecurity and risk at the American Hospital Association. Cyber raids on hospitals more than tripled in the past five years and have become more sophisticated, just when hospitals are coping with higher costs for labor and supplies and grappling with staff shortages. The industry in 2022 had what Moody's Investors Service analyst Matthew Cahill called "arguably the worst year in health-care history" for financial performance. "There's really no wiggle room for hospitals to deal with this," Cahill said in an interview. He said cyber risk has contributed to downgrades, including one at Missouri's Capital Region Medical Center last year following a breach.

Health-care facilities are attractive targets for cybercriminals because they hold ample personal data on patients, Matt Fabian and Lisa Washburn of Municipal Market Analytics wrote in a research note. Staffing shortages and wide use of third-party technology make the sector particularly vulnerable. The problem is particularly dire at smaller and rural hospitals, which have more financial distress and tend to use older technology. In an April note, Moody's cited an IBM survey that showed hospitals for 12 years have had the highest average cyberattack cost per industry, with $10.1 million in 2022. The AHA's Riggi said that while most hospitals have insurance, the cost to recover from attacks could be up to 10 times what insurance pays out.
Security

SMS Phishers Harvested Phone Numbers, Shipment Data From UPS Tracking Tool (krebsonsecurity.com) 12

Posted by BeauHD from the another-day-another-data-breach dept.
An anonymous reader quotes a report from KrebsOnSecurity: The United Parcel Service (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. "smishing") messages that spoofed UPS and other top brands. The missives addressed recipients by name, included details about recent orders, and warned that those orders wouldn't be shipped unless the customer paid an added delivery fee. In a snail mail letter sent this month to Canadian customers, UPS Canada Ltd. said it is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered, and that it has been working with partners in its delivery chain to try to understand how the fraud was occurring.

"During that review, UPS discovered a method by which a person who searched for a particular package or misused a package look-up tool could obtain more information about the delivery, potentially including a recipient's phone number," the letter reads. "Because this information could be misused by third parties, including potentially in a smishing scheme, UPS has taken steps to limit access to that information." The written notice goes on to say UPS believes the data exposure "affected packages for a small group of shippers and some of their customers from February 1, 2022 to April 24, 2023." [...]

In a statement provided to KrebsOnSecurity, Sandy Springs, Ga. based UPS [NYSE:UPS] said the company has been working with partners in the delivery chain to understand how that fraud was being perpetrated, as well as with law enforcement and third-party experts to identify the cause of this scheme and to put a stop to it. "Law enforcement has indicated that there has been an increase in smishing impacting a number of shippers and many different industries," reads an email from Brian Hughes, director of financial and strategy communications at UPS. "Out of an abundance of caution, UPS is sending privacy incident notification letters to individuals in Canada whose information may have been impacted," Hughes said. "We encourage our customers and general consumers to learn about the ways they can stay protected against attempts like this by visiting the UPS Fight Fraud website."
IT

DuckDuckGo Browser Beta for Windows Bakes in a Lot of Privacy Tools (arstechnica.com) 21

Posted by msmash from the moving-forward dept.
Privacy-focused firm DuckDuckGo has released a public beta of its browser for Windows, offering more default privacy protections and an assortment of Duck-made browsing tools. From a report: Like its Mac browser, DuckDuckGo (DDG) uses "the underlying operating system rendering API" rather than its own forked browser code. That's "a Windows WebView2 call that utilizes the Blink rendering engine underneath," according to DuckDuckGo's blog post. Fittingly, the browser reports itself as Microsoft Edge at most header-scanning sites. Inside the DuckDuckGo browser, you'll find:

1. Duck Player, which shows (most) YouTube videos "without privacy-invading ads" and doesn't feed your recommendations
2. Tracker blocking that DDG cites as "above and beyond" other browsers, including third-party tracker loading
3. Enforced encryption
4. The "fire button" that instantly closes all tabs and clears website data
5. Cookie pop-up management, automatically selecting a private option and hiding "I accept" pop-ups
6. Email protection, making it easier to use an auto-forwarding duck.com address on web forms
Security

Latest SUSE Linux Enterprise Goes All in With Confidential Computing 7

Posted by msmash from the moving-forward dept.
SUSE's latest release of SUSE Linux Enterprise 15 Service Pack 5 (SLE 15 SP5) has a focus on security, claiming it as the first distro to offer full support for confidential computing to protect data. From a report: According to SUSE, the latest version of its enterprise platform is designed to deliver high-performance computing capabilities, with an inevitable mention of AI/ML workloads, plus it claims to have extended its live-patching capabilities. The release also comes just weeks after the community release openSUSE Leap 15.5 was made available, with the two sharing a common core. The Reg's resident open source guru noted that Leap 15.6 has now been confirmed as under development, which implies that a future SLE 15 SP6 should also be in the pipeline.

SUSE announced the latest version at its SUSECON event in Munich, along with a new report on cloud security issues claiming that more than 88 percent of IT teams have reported at least one cloud security incident over the the past year. This appears to be the justification for the claim that SLE 15 SP5 is the first Linux distro to support "the entire spectrum" of confidential computing, allowing customers to run fully encrypted virtual machines on their infrastructure to protect applications and their associated data. Confidential computing relies on hardware-based security mechanisms in the processor to provide this protection, so enterprises hoping to take advantage of this will need to ensure their servers have the necessary support, such as AMD's Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) and Intel's Trust Domain Extensions (TDX).
Social Networks

Some Subreddits Are Now Filled With Porn To Protest Reddit 101

Posted by msmash from the tough-luck dept.
An anonymous reader shares a report: A handful of subreddits have classified themselves as not safe for work (NSFW) to protest Reddit's recent treatment of the platform's volunteer moderators, and as a result, some non-porn communities are starting to get a lot of porn. More than 8,000 subreddits went dark last week in protest of the company's API pricing changes that are set to shut down popular third-party apps. But as the protests went on, Reddit started to push back. In an interview with The Verge, CEO Steve Huffman said that, while the platform allows the protests, "the users are not in support of it now. It's like a protest in a city that goes on too long, and the rest of the citizens of the city would like to go about their lives."

In an interview with NBC News, Huffman characterized moderators as "landed gentry." And some mods have felt threatened by messages sent to them by the company. Thousands of subreddits have reopened; one tracker indicates only about 3,300 remain private or restricted. But switching to NSFW creates a new level of friction in reopened communities.
Apple

iOS 17 and macOS Sonoma Automatically Generates Apple ID Passkeys (9to5mac.com) 32

Posted by msmash from the how-about-that dept.
You can now forgo entering your password on icloud.com and apple.com domains thanks to newly added passkey support. From a report: When running iOS 17 on an iPhone, any Apple site on the web can rely instead on Face ID or Touch ID to authenticate your login. As part of iOS 17, iPadOS 17, and macOS Sonoma, your Apple ID is automatically assigned a passkey that can be used for iCloud and Apple sites. If you're running iOS 17 on your iPhone, you can try it out now. Just go to any sign-in page with an apple.com or icloud.com domain, like appleid.apple.com or www.apple.com/shop/bag, and look for the Sign in with iPhone button after your enter your Apple ID email address. We've tried this from Safari on the Mac, although you can use passkeys on non-Apple devices as well. Once you select Sign in with iPhone, a QR code is presented that you scan with your iPhone. If you scan the QR code from the Camera app, you can tap the yellow link box to invoke Face ID or Touch ID to authenticate your identity on the web without ever entering your password.
Apple

Apple Expanding Self-Service Repair Program To iPhone 14 Lineup and More Macs (macrumors.com) 16

Posted by msmash from the moving-forward dept.
Apple today announced that its self-service repair program will be expanding to the iPhone 14 lineup, 13-inch MacBook Air with the M2 chip, and 14-inch and 16-inch MacBook Pro models with M2 Pro and M2 Max chips starting June 21. From a report: First launched in April 2022, Apple's program provides customers with access to parts, manuals, and tools to repair select devices. Apple says the program is designed for anyone with "experience repairing electronic devices," but says the "vast majority" of customers are better off visiting an Apple Store or Apple Authorized Service Provider. Apple also announced that customers can now complete the post-repair System Configuration process by placing the device into Diagnostics Mode and following the on-screen prompts. Users no longer need to contact the program's support team to complete this step, which verifies that the parts are genuine and working properly.
Wireless Networking

ASUS Urges Customers To Patch Critical Router Vulnerabilities (bleepingcomputer.com) 25

Posted by BeauHD from the PSA dept.
ASUS has released new firmware for several router models to address security vulnerabilities, including critical ones like CVE-2022-26376 and CVE-2018-1160, which can lead to denial-of-service attacks and code execution. The company advises customers to update their devices immediately or restrict WAN access until the devices are secured, urging them to create strong passwords and follow security measures. BleepingComputer reports: The first is a critical memory corruption weakness in the Asuswrt firmware for Asus routers that could let attackers trigger denial-of-services states or gain code execution. The other critical patch is for an almost five-year-old CVE-2018-1160 bug caused by an out-of-bounds write Netatalk weakness that can also be exploited to gain arbitrary code execution on unpatched devices.

"Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger," ASUS warned in a security advisory published today. "We strongly encourage you to periodically audit both your equipment and your security procedures, as this will ensure that you will be better protected."

The list of impacted devices includes the following models: GT6, GT-AXE16000, GT-AX11000 PRO, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400.
Microsoft

Microsoft Says Early June Disruptions To Outlook, Cloud Platform, Were Cyberattacks (apnews.com) 25

Posted by msmash from the closer-look dept.
An anonymous reader shares a report: In early June, sporadic but serious service disruptions plagued Microsoft's flagship office suite -- including the Outlook email and OneDrive file-sharing apps -- and cloud computing platform. A shadowy hacktivist group claimed responsibility, saying it flooded the sites with junk traffic in distributed denial-of-service attacks. Initially reticent to name the cause, Microsoft has now disclosed that DDoS attacks by the murky upstart were indeed to blame.

But the software giant has offered few details -- and did not immediately comment on how many customers were affected and whether the impact was global. A spokeswoman confirmed that the group that calls itself Anonymous Sudan was behind the attacks. It claimed responsibility on its Telegram social media channel at the time. Some security researchers believe the group to be Russian. Microsoft's explanation in a blog post Friday evening followed a request by The Associated Press two days earlier. Slim on details, the post said the attacks "temporarily impacted availability" of some services. It said the attackers were focused on "disruption and publicity" and likely used rented cloud infrastructure and virtual private networks to bombard Microsoft servers from so-called botnets of zombie computers around the globe.
Security

Hackers Threaten To Leak 80GB of Confidential Data Stolen From Reddit (techcrunch.com) 61

Posted by msmash from the how-about-that dept.
Hackers are threatening to release confidential data stolen from Reddit unless the company pays a ransom demand -- and reverses its controversial API price hikes. From a report: In a post on its dark web leak site, the BlackCat ransomware gang, also known as ALPHV, claims to have stolen 80 gigabytes of compressed data from Reddit during a February breach of the company's systems. Reddit spokesperson Gina Antonini declined to answer TechCrunch's questions but confirmed that BlackCat's claims relate to a cyber incident confirmed by Reddit on February 9.

At the time, Reddit CTO Christopher Slowe, or KeyserSosa, said that hackers had accessed employee information and internal documents during a "highly-targeted" phishing attack. Slowe added that the company had "no evidence" that personal user data, such as passwords and accounts, had been stolen. Reddit didn't share any further details about the attack or who was behind it. However, BlackCat over the weekend claimed responsibility for the February intrusion and threatened to leak "confidential" data stolen during the breach. It's unclear exactly what types of data the hackers have stolen, and BlackCat hasn't shared any evidence of data theft.
Google

Google is Building a 153-Acre Neighborhood By Its Headquarters (sfgate.com) 68

Posted by EditorDavid from the company's-town dept.
In the heart of Silicon Valley, the city of Mountain View, California "just approved its biggest development ever," reports SFGate, "and it's for exactly the company you'd expect." Google got the go-ahead to build a 153-acre mixed-use neighborhood just south of its headquarters in north Mountain View on June 13, with unanimous city council approval.

Plans for the 30-year project, which will supplant the Google offices and parking lots currently in the area, include over 3 million square feet of office space and 7,000 residential units... Originally, the developers planned to dedicate 20% of the new housing to affordable units, but the approved plan sets aside only 15% for lower- and middle-income housing. Google lowered the target to make the project viable in an uncertain economic climate, a spokesperson told SFGATE. This past January, the firm laid off 12,000 workers.

The new development sounds an awful lot like the "company towns" of 1900-era American settlement — firms ran all the stores and housing for their workers — but a Google spokesperson said the new project's restaurants, housing and services would serve the broader Mountain View community. Along with the housing and Google office space, the plans include 26 acres of public parks and open space, up to 288,990 square feet of ground-floor commercial space, land for a school, new streets and a private utility system. The developers have 30 years to complete the project, as long as Google and Lendlease hit permit benchmarks and complete other terms within the first 15.
United States

'Plan To Save Downtown San Francisco From Doom Loop Approved by Lawmakers' (sfstandard.com) 233

Posted by EditorDavid from the open-up-your-golden-gates dept.
An anonymous reader shared this report from the nonprofit journalism site, the San Francisco Standard: The San Francisco Board of Supervisors on Tuesday approved legislation that aims to shore up the city's beleaguered Downtown by filling empty storefronts and expediting the conversion of underused office buildings into housing. The bill is a major component of Mayor London Breed's recovery agenda. Co-sponsored by Board President Aaron Peskin, it amends the city's planning code to expand residential uses and Downtown office conversions. It also streamlines the review of certain projects, among other changes...

Even with speedier project approvals, converting San Francisco office buildings to housing remains a costly endeavor; few developers have explored the option to date. At an April 3 hearing of the board's Land Use Committee, lawmakers outlined the need for multiple reforms to make conversions economically feasible; Supervisor Dean Preston voiced concerns that even those reforms would not accommodate low-income housing. Many say San Francisco's Downtown is currently caught in a "doom loop" driven by economic knock-on effects of the pandemic, including an office vacancy rate approaching 30% and trophy office towers changing hands at deep discounts...

The bill passed Tuesday is one of several legislative efforts to aid Downtown and the city's overall economy. Initiatives have included legislation to delay tax increases for retail, food service and other businesses hit hard by the pandemic, an "Office Attraction Tax Credit" for new companies opening in the city and a program called "Vacant to Vibrant," which provides grants to businesses which open "pop-up" shops and art spaces in Downtown's empty storefronts.
IT

Working-from-Home May Start an Office Real Estate Crisis - But Banks May Adapt (msn.com) 121

Posted by EditorDavid from the returns-on-offices dept.
The Washington Post reports that "Since the pandemic, employers — particularly in major cities — have been struggling to get their workers to return to the office, while others have given up and allowed workers to go fully remote.

"That trend is finally starting to catch up with the owners of office buildings in the form of rising vacancy rates and declining property values." Earlier this month, real estate data provider Trepp reported that an estimated $270 billion in commercial bank loans are coming due in 2023 — and warned of the potential for defaults. Office delinquencies spiked in May, signaling a "tipping point," according to Manus Clancy, senior managing director at Trepp. Asked about commercial real estate concerns in a television appearance on Wednesday, [U.S.] Treasury Secretary Janet L. Yellen said she thinks banks are "broadly preparing for some restructuring and difficulties going ahead...."

"If office and retail owners are having trouble generating rental income because people just aren't going into the office and shopping, then it increases the odds that they aren't going to be able to pay back those loans in timely way," said Mark Zandi, chief economist for Moody's Analytics. "That means losses will start to mount on those loans. And because the banking and financial system more broadly is already struggling with lots of other problems ... there's going to be more banking failures." Despite the public debate over return-to-office mandates at major companies, experts say office occupancy will never return to the levels experienced before 2020. In February, workplace data company Kastle Systems estimated that half of workers in the United States had returned, but that figure has stagnated since...

Still, many experts say the worst can still be avoided. The issues have been known for a while, giving lenders plenty of time to consider what to do. Banks can always renegotiate the terms of their loans to landlords... Although cities themselves could be in trouble because of property taxes and budget shortfalls, the financial system as a whole is more protected, said Brookings Institution fellow Tracy Hadden Loh, who researches real estate and cities. "It's in no one's interest to have them all fall into foreclosure at once, because that could destabilize the banking system," she said. "So banks will take what they can get in terms of payment and work through this."
Bug

Windows 11 Update Breaks Chrome for Some Antivirus Software Users (bleepingcomputer.com) 49

Posted by EditorDavid from the broken-Windows dept.
Wednesday BleepingComputer reported: Malwarebytes confirmed today that the Windows 11 22H2 KB5027231 cumulative update released this Patch Tuesday breaks Google Chrome on its customers' systems... While uninstalling the KB5027231 update fixes the issue, admins report that it's not possible to do so via Windows Server Update Services because of a "catastrophic error..." The Google Chrome process is actually running but is prevented from fully launching the application and loading the user interface due to the conflict.
Then Friday BleepingComputer reported that the same update "also breaks Google Chrome on systems protected by Cisco and WatchGuard EDR and antivirus solutions." "We deploy Secure Endpoint 8.1.7 to our few thousand devices, and we started getting a mountain of reports this morning that Google Chrome would not appear on the screen after attempting to open it," one admin said. "With a little trial & error, I found that killing the Secure Endpoint service or uninstalling Secure Endpoint will allow Chrome to open again..."

WatchGuard staff also confirmed on Friday that Google Chrome wouldn't open on Windows 11 after installing KB5027231 if anti-exploit protection is enabled in the company's Endpoint Security software.
Thanks to Slashdot reader boley1 for sharing the news.
Bug

Dev Boots Linux 292,612 Times to Find Kernel Bug (tomshardware.com) 32

Posted by EditorDavid from the hardcore-boots dept.
Long-time Slashdot reader waspleg shared this story from Hot Hardware: Red Hat Linux developer Richard WM Jones has shared an eyebrow raising tale of Linux bug hunting. Jones noticed that Linux 6.4 has a bug which means it will hang on boot about 1 in 1,000 times. Jones set out to pinpoint the bug, and prove he had caught it red handed. However, his headlining travail, involving booting Linux 292,612 times (and another 1,000 times to confirm the bug) apparently "only took 21 hours." It also seems that the bug is less common with Intel hardware than AMD based machines.
Encryption

The US Navy, NATO, and NASA Are Using a Shady Chinese Company's Encryption Chips (wired.com) 45

Posted by BeauHD from the probably-not-a-one-off-mistake dept.
New submitter ole_timer shares a report from Wired: TikTok to Huawei routers to DJI drones, rising tensions between China and the US have made Americans -- and the US government -- increasingly wary of Chinese-owned technologies. But thanks to the complexity of the hardware supply chain, encryption chips sold by the subsidiary of a company specifically flagged in warnings from the US Department of Commerce for its ties to the Chinese military have found their way into the storage hardware of military and intelligence networks across the West. In July of 2021, the Commerce Department's Bureau of Industry and Security added the Hangzhou, China-based encryption chip manufacturer Hualan Microelectronics, also known as Sage Microelectronics, to its so-called "Entity List," a vaguely named trade restrictions list that highlights companies "acting contrary to the foreign policy interests of the United States." Specifically, the bureau noted that Hualan had been added to the list for "acquiring and ... attempting to acquire US-origin items in support of military modernization for [China's] People's Liberation Army."

Yet nearly two years later, Hualan -- and in particular its subsidiary known as Initio, a company originally headquartered in Taiwan that it acquired in 2016 -- still supplies encryption microcontroller chips to Western manufacturers of encrypted hard drives, including several that list as customers on their websites Western governments' aerospace, military, and intelligence agencies: NASA, NATO, and the US and UK militaries. Federal procurement records show that US government agencies from the Federal Aviation Administration to the Drug Enforcement Administration to the US Navy have bought encrypted hard drives that use the chips, too. The disconnect between the Commerce Department's warnings and Western government customers means that chips sold by Hualan's subsidiary have ended up deep inside sensitive Western information networks, perhaps due to the ambiguity of their Initio branding and its Taiwanese origin prior to 2016. The chip vendor's Chinese ownership has raised fears among security researchers and China-focused national security analysts that they could have a hidden backdoor that would allow China's government to stealthily decrypt Western agencies' secrets. And while no such backdoor has been found, security researchers warn that if one did exist, it would be virtually impossible to detect it.

"If a company is on the Entity List with a specific warning like this one, it's because the US government says this company is actively supporting another country's military development," says Dakota Cary, a China-focused research fellow at the Atlantic Council, a Washington, DC-based think tank. "It's saying you should not be purchasing from them, not just because the money you're spending is going to a company that will use those proceeds in the furtherance of another country's military objectives, but because you can't trust the product." [...] The mere fact that so many Western government agencies are buying products that include chips sold by the subsidiary of a company on the Commerce Department's trade restrictions list points to the complexities of navigating the computing hardware supply chain, says the Atlantic Council's Cary. "At minimum, it's a real oversight. Organizations that should be prioritizing this level of security are apparently not able to do so, or are making mistakes that have allowed for these products to get into their environments," he says. "It seems very significant. And it's probably not a one-off mistake."
Security

Security Expert Defeats Lenovo Laptop BIOS Password With a Screwdriver (tomshardware.com) 31

Posted by BeauHD from the screw-this dept.
Cybersecurity experts at CyberCX have demonstrated a simple method for consistently accessing older BIOS-locked laptops by shorting pins on the EEPROM chip with a screwdriver, enabling full access to the BIOS settings and bypassing the password. Tom's Hardware reports: Before we go further, it is worth pointing out that CyberCX's BIOS password bypass demonstration was done on several Lenovo laptops that it had retired from service. The blog shows that the easily reproducible bypass is viable on the Lenovo ThinkPad L440 (launched Q4 2013) and the Lenovo ThinkPad X230 (launched Q3 2012). Other laptop and desktop models and brands that have a separate EEPROM chip where passwords are stored may be similarly vulnerable. [...] From reading various documentation and research articles, CyberCX knew that it needed to follow the following process on its BIOS-locked Lenovo laptops: Locate the correct EEPROM chip; Locate the SCL and SDA pins; and Short the SCL and SDA pins at the right time.

Checking likely looking chips on the mainboard and looking up series numbers eventually lead to being able to target the correct EEPROM. In the case of the ThinkPad L440, the chip is marked L08-1 X (this may not always be the case). An embedded video in the CyberCX blog post shows just how easy this 'hack' is to do. Shorting the L08-1 X chip pins requires something as simple as a screwdriver tip being held between two of the chip legs. Then, once you enter the BIOS, you should find that all configuration options are open to be changed. There is said to be some timing needed, but the timing isn't so tight, so there is some latitude. You can watch the video for a bit of 'technique.'

CyberCX includes some quite in-depth analysis of how its BIOS hack works and explains that you can't just short the EEPROM chips straight away as you turn the machine on (hence the need for timing). Some readers may be wondering about their own laptops or BIOS-locked machines they have seen on eBay and so on. CyberCX says that some modern machines with the BIOS and EEPROM packages in one Surface Mount Device (SMD) would be more difficult to hack in this way, requiring an "off-chip attack." The cyber security firm also says that some motherboard and system makers do indeed already use an integrated SMD. Those particularly worried about their data, rather than their system, should implement "full disk encryption [to] prevent an attacker from obtaining data from the laptop's drive," says the security outfit.
Security

Millions of Americans' Personal Data Exposed in Global Hack (cnn.com) 17

Posted by msmash from the security-woes dept.
Millions of people in Louisiana and Oregon have had their data compromised in the sprawling cyberattack that has also hit the US federal government, state agencies said late Thursday. From a report: The breach has affected 3.5 million Oregonians with driver's licenses or state ID cards, and anyone with that documentation in Louisiana, authorities said. The Louisiana governor's office did not put a number on the number of victims but over 3 million Louisianians hold driver's licenses, according to public data. The states did not blame anyone in particular for the hack, but federal officials have attributed a broader hacking campaign using the same software vulnerability to a Russian ransomware gang. The sweeping hack has likely exposed data at hundreds of organizations across the globe and also compromised multiple US federal agencies, including the Department of Energy, as well as data from major corporations in Britain like the BBC and British Airways. The Russian-speaking hackers that claimed credit are known to demand multimillion-dollar ransoms, though US and state governments say they have not received any demands.
EU

EU Votes To Bring Back Replaceable Phone Batteries 218

Posted by msmash from the closer-look dept.
What's old is new again, at least in the European Union. The European Parliament recently voted in favor of new legislation that would overhaul the entire battery life cycle, from design to end-of-life, which includes important caveats for smartphone users. From a report: Among the many changes, the new rules would require batteries in consumer devices like smartphones to be easily removable and replaceable. That's far from the case today with most phones, but that wasn't always the case.

Slashdot Top Deals