The Federal Trade Commission (FTC) has a new way to combat the impersonation scams that it says cost people $1.1 billion last year alone. Effective today, the agency's rule "prohibits the impersonation of government, businesses, and their officials or agents in interstate commerce." The rule also lets the FTC directly file federal court complaints to force scammers to return money stolen by business or government impersonation. From a report: Impersonation scams are wide-ranging -- creators are on the lookout for fake podcast invites that turn into letting scammers take over their Facebook pages via a hidden "datasets" URL, while Verge reporters have been impersonated by criminals trying to steal cryptocurrency via fake Calendly meeting links.

Linus Media Group was victimized by a thief who pretended to be a potential sponsor and managed to take over three of the company's YouTube channels. Some scams can also be very intricate, as in The Cut financial columnist Charlotte Cowles' story of how she lost a shoebox holding $50,000 to an elaborate scam involving a fake Amazon business account, the FTC, and the CIA. (See also: gift card scams.) The agency is also taking public comment until April 30th on changes to the rule that would allow it to also target impersonation of individuals, such as through the use of video deepfakes or AI voice cloning. That would let it take action against, say, scams involving impersonations of Elon Musk on X or celebrities in YouTube ads. Others have used AI for more sinister fraud, such as voice clones of loved ones claiming to be kidnapped.

OpenAI is making its flagship conversational AI accessible to everyone, even people who haven't bothered making an account. From a report: It won't be quite the same experience, however -- and of course all your chats will still go into their training data unless you opt out. Starting today in a few markets and gradually rolling out to the rest of the world, visiting chat.openai.com will no longer ask you to log in -- though you still can if you want to. Instead, you'll be dropped right into conversation with ChatGPT, which will use the same model as logged-in users.

"After taking a look at Floorp Browser, I was left wondering whether there was a Chromium-based web browser that was as good, or even better than Chrome," writes a "First Look" reviewer at It's Foss News.

"That is when I came across Thorium, a web-browser that claims to be the 'the fastest browser on Earth'." [Thorium] is backed by a myriad of tweaks that include, compiler optimizations for SSE4.2, AVS, AES, various mods to CFLAGS, LDFLAGS, thinLTO flags, and more. The developer shares performance stats using popular benchmarking tools... I tested it using Speedometer 3.0 benchmark on Fedora 39 and compared it to Brave, and the scores were:

Thorium: 19.2; Brave: 19.5

So, it may not be the "fastest" always, probably one of the fastest, that comes close to Brave or sometimes even beats it (depends on the version you tested it and your system).

Alexander Frick, the lead developer, also insists on providing support for older operating systems such as Windows 7 so that its user base can use a capable modern browser without much fuss... As Thorium is a cross-platform web browser, you can find packages for a wide range of platforms such as Linux, Raspberry Pi, Windows, Android, macOS, and more.
Thorium can sync to your Google account to import your bookmarks, extensions, and themes, according to the article.

"Overall, I can confidently say that it is a web browser I could daily drive, if I were to ditch Chrome completely. It gels in quite well with the Google ecosystem and has a familiar user interface that doesn't get in the way."

Personal data from 73 million AT&T customers has leaked onto the dark web, reports CNN — both current and former customers.

AT&T has launched an investigation into the source of the data leak... In a news release Saturday morning, the telecommunications giant said the data was "released on the dark web approximately two weeks ago," and contains information such as account holders' Social Security numbers. ["The information varied by customer and account," AT&T said in a statement, " but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and passcode."]

"It is not yet known whether the data ... originated from AT&T or one of its vendors," the company added. "Currently, AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set."

The data seems to have been from 2019 or earlier. The leak does not appear to contain financial information or specifics about call history, according to AT&T. The company said the leak shows approximately 7.6 million current account holders and 65.4 million former account holders were affected.
CNN says the first reports of the leak came two weeks ago from a social media account claiming "the largest collection of malware source code, samples, and papers. Reached for a comment by CNN, AT&T had said at the time that "We have no indications of a compromise of our systems."

AT&T's web site now includes a special page with an FAQ — and the tagline that announces "We take cybersecurity very seriously..."

"It has come to our attention that a number of AT&T passcodes have been compromised..."

The page points out that AT&T has already reset the passcodes of "all 7.6 million impacted customers." It's only further down in the FAQ that they acknowledge that the breach "appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and 65.4 million former account holders." Our internal teams are working with external cybersecurity experts to analyze the situation... We encourage customers to remain vigilant by monitoring account activity and credit reports. You can set up free fraud alerts from nationwide credit bureaus — Equifax, Experian, and TransUnion. You can also request and review your free credit report at any time via Freecreditreport.com...

We will reach out by mail or email to individuals with compromised sensitive personal information and offering complimentary identity theft and credit monitoring services... If your information was impacted, you will be receiving an email or letter from us explaining the incident, what information was compromised, and what we are doing for you in response.

404 Media claims to have identified "the fundamental flaw with the age verification bills and laws" that have already passed in eight state legislatures (with two more taking effect in July): "the delusional, unfounded belief that putting hurdles between people and pornography is going to actually prevent them from viewing porn."

They argue that age verification laws "drag us back to the dark ages of the internet." Slashdot reader samleecole shared this excerpt: What will happen, and is already happening, is that people — including minors — will go to unmoderated, actively harmful alternatives that don't require handing over a government-issued ID to see people have sex. Meanwhile, performers and companies that are trying to do the right thing will suffer....

The legislators passing these bills are doing so under the guise of protecting children, but what's actually happening is a widespread rewiring of the scaffolding of the internet. They ignore long-established legal precedent that has said for years that age verification is unconstitutional, eventually and inevitably reducing everything we see online without impossible privacy hurdles and compromises to that which is not "harmful to minors." The people who live in these states, including the minors the law is allegedly trying to protect, are worse off because of it. So is the rest of the internet.
Yet new legislation is advancing in Kentucky and Nebraska, while the state of Kansas just passed a law which even requires age-verification for viewing "acts of homosexuality," according to a report: Websites can be fined up to $10,000 for each instance a minor accesses their content, and parents are allowed to sue for damages of at least $50,000. This means that the state can "require age verification to access LGBTQ content," according to attorney Alejandra Caraballo, who said on Threads that "Kansas residents may soon need their state IDs" to access material that simply "depicts LGBTQ people."
One newspaper opinion piece argues there's an easier solution: don't buy your children a smartphone: Or we could purchase any of the various software packages that block social media and obscene content from their devices. Or we could allow them to use social media, but limit their screen time. Or we could educate them about the issues that social media causes and simply trust them to make good choices. All of these options would have been denied to us if we lived in a state that passed a strict age verification law. Not only do age verification laws reduce parental freedom, but they also create myriad privacy risks. Requiring platforms to collect government IDs and face scans opens the door to potential exploitation by hackers and enemy governments. The very information intended to protect children could end up in the wrong hands, compromising the privacy and security of millions of users...

Ultimately, age verification laws are a misguided attempt to address the complex issue of underage social media use. Instead of placing undue burdens on users and limiting parental liberty, lawmakers should look for alternative strategies that respect privacy rights while promoting online safety.
This week a trade association for the adult entertainment industry announced plans to petition America's Supreme Court to intervene.

"Several big businesses have published source code that incorporates a software package previously hallucinated by generative AI," the Register reported Thursday

"Not only that but someone, having spotted this reoccurring hallucination, had turned that made-up dependency into a real one, which was subsequently downloaded and installed thousands of times by developers as a result of the AI's bad advice, we've learned." If the package was laced with actual malware, rather than being a benign test, the results could have been disastrous.

According to Bar Lanyado, security researcher at Lasso Security, one of the businesses fooled by AI into incorporating the package is Alibaba, which at the time of writing still includes a pip command to download the Python package huggingface-cli in its GraphTranslator installation instructions. There is a legit huggingface-cli, installed using pip install -U "huggingface_hub[cli]". But the huggingface-cli distributed via the Python Package Index (PyPI) and required by Alibaba's GraphTranslator — installed using pip install huggingface-cli — is fake, imagined by AI and turned real by Lanyado as an experiment.

He created huggingface-cli in December after seeing it repeatedly hallucinated by generative AI; by February this year, Alibaba was referring to it in GraphTranslator's README instructions rather than the real Hugging Face CLI tool... huggingface-cli received more than 15,000 authentic downloads in the three months it has been available... "In addition, we conducted a search on GitHub to determine whether this package was utilized within other companies' repositories," Lanyado said in the write-up for his experiment. "Our findings revealed that several large companies either use or recommend this package in their repositories...."

Lanyado also said that there was a Hugging Face-owned project that incorporated the fake huggingface-cli, but that was removed after he alerted the biz.
"With GPT-4, 24.2 percent of question responses produced hallucinated packages, of which 19.6 percent were repetitive, according to Lanyado..."

Thanks to long-time Slashdot reader schneidafunk for sharing the article.

The Record reports: Ross Anderson, a professor of security engineering at the University of Cambridge who is widely recognized for his contributions to computing, passed away at home on Thursday according to friends and colleagues who have been in touch with his family and the University.

Anderson, who also taught at Edinburgh University, was one of the most respected academic engineers and computer scientists of his generation. His research included machine learning, cryptographic protocols, hardware reverse engineering and breaking ciphers, among other topics. His public achievements include, but are by no means limited to, being awarded the British Computer Society's Lovelace Medal in 2015, and publishing several editions of the Security Engineering textbook.
Anderson's security research made headlines throughout his career, with his name appearing in over a dozen Slashdot stories...

• 2023: Researchers Warn of 'Model Collapse' As AI Trains On AI-Generated Content

• 2021: 'Trojan Source' Bug Threatens the Security of All Code

• 2015: Factory Reset On Millions of Android Devices Doesn't Wipe Storage

• 2012: UK Web Snooping Plan Invades Privacy, Despite Claims To the Contrary

• 2010: Why "Verified By Visa" System Is Insecure

• 2008: Researchers Expose New Credit Card Fraud Risk

• 2006: "Security Engineering" Is Now Online. [The link from that 2006 post still works. Slashdot called Anderson's book "arguably the best information security book ever written" in one of two reviews, published in 2002 and 2010.]

• 2002:Security of Open vs. Closed Source Software.

• 2002: Analyzing Palladium

My favorite story? UK Banks Attempt To Censor Academic Publication.

"Cambridge University has resisted the demands and has sent a response to the bankers explaining why they will keep the page online..."

BrianFagioli shares a report from BetaNews: In a recent security announcement, Red Hat's Information Risk and Security and Product Security teams have identified a critical vulnerability in the latest versions of the 'xz' compression tools and libraries. The affected versions, 5.6.0 and 5.6.1, contain malicious code that could potentially allow unauthorized access to systems. Fedora Linux 40 users and those using Fedora Rawhide, the development distribution for future Fedora builds, are at risk.

The vulnerability, designated CVE-2024-3094, impacts users who have updated to the compromised versions of the xz libraries. Red Hat urges all Fedora Rawhide users to immediately cease using the distribution for both work and personal activities until the issue is resolved. Plans are underway to revert Fedora Rawhide to the safer xz-5.4.x version, after which it will be safe to redeploy Fedora Rawhide instances. Although Fedora Linux 40 builds have not been confirmed to be compromised, Red Hat advises users to downgrade to a 5.4 build as a precautionary measure. An update reverting xz to 5.4.x has been released and is being distributed to Fedora Linux 40 users through the normal update system. Users can expedite the update by following instructions provided by Red Hat. Further reader submissions: xz/liblzma Backdoored, Facilitating ssh Compromise;
Malicious Code Discovered in Popular XZ Utils.

An anonymous reader writes: What if you could update the device while it's still in the box? That's the latest plan cooked up by Apple, which is close to rolling out a system that will let Apple Stores wirelessly update new iPhones while they're still in their boxes. The new system is called "Presto." French site iGeneration has the first picture of what this setup looks like. It starts with a clearly Apple-designed silver rack that holds iPhones and has a few lights on the front. The site (through translation) calls the device a "toaster," and yes, it looks like a toaster oven or food heating rack.

Bloomberg's Mark Gurman has been writing about whispers of this project for months, saying in one article that the device can "wirelessly turn on the iPhone, update its software and then power it back down -- all without the phone's packaging ever being opened." In another article, he wrote that the device uses "MagSafe and other wireless technologies." The iGeneration report also mentions that the device uses NFC, and there are "templates" that help with positioning the various-sized iPhone boxes so the NFC and wireless charging will work. With that wireless charging, downloading, and installing, all while being isolated in a cardboard box, Apple's "toaster" probably gets pretty hot.

Dashlane, in a support page: Due to changes in business priorities, we've decided to discontinue the Dashlane Authenticator app as of May 13, 2024. You can still use the main Dashlane app as an authenticator to protect logins stored in Dashlane with 2-factor authentication.

An anonymous reader shares a report: Fisker temporarily lost track of millions of dollars in customer payments as it scaled up deliveries, leading to an internal audit that started in December and took months to complete, TechCrunch has learned.

The EV startup was ultimately able to track down a majority of those payments or request new ones from customers whose payment methods had expired. But the disarray, which was described to TechCrunch by three people familiar with the internal payment crisis, took employees and resources away from Fisker's sales team at a time when the company was attempting to save itself by restructuring its business model.

Fisker struggled to keep tabs on these transactions, which included down payments and in some cases, the full price of the vehicles, because of lax internal procedures for keeping track of them, according to the people. In a few cases, it delivered vehicles without collecting any form of payment at all, they said.

An anonymous reader quotes a report from KrebsOnSecurity: Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple's password reset feature. In this scenario, a target's Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds "Allow" or "Don't Allow" to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user's account is under attack and that Apple support needs to "verify" a one-time code. [...]

What sanely designed authentication system would send dozens of requests for a password change in the span of a few moments, when the first requests haven't even been acted on by the user? Could this be the result of a bug in Apple's systems? Kishan Bagaria is a hobbyist security researcher and engineer who founded the website texts.com (now owned by Automattic), and he's convinced Apple has a problem on its end. In August 2019, Bagaria reported to Apple a bug that allowed an exploit he dubbed "AirDoS" because it could be used to let an attacker infinitely spam all nearby iOS devices with a system-level prompt to share a file via AirDrop -- a file-sharing capability built into Apple products.

Apple fixed that bug nearly four months later in December 2019, thanking Bagaria in the associated security bulletin. Bagaria said Apple's fix was to add stricter rate limiting on AirDrop requests, and he suspects that someone has figured out a way to bypass Apple's rate limit on how many of these password reset requests can be sent in a given timeframe. "I think this could be a legit Apple rate limit bug that should be reported," Bagaria said.

The U.S. State Department has offered up to $10 million for information on the "Blackcat" ransomware gang who hit the UnitedHealth Group's tech unit and snarled insurance payments across America. From a report: "The ALPHV Blackcat ransomware-as-a-service group compromised computer networks of critical infrastructure sectors in the United States and worldwide," the department said in a statement announcing the reward offer.

UnitedHealth said last week it was beginning to clear a medical claims backlog of more than $14 billion as it brought its services back online following the cyberattack, which caused wide-ranging disruption starting in late February. UnitedHealth's tech unit, Change Healthcare, plays a critical role in processing payments from insurance companies to practitioners, and the outage caused by the cyberattack has in some cases left patients and doctors out of pocket. The toll on the community health centers that serve more than 30 million poor and uninsured patients has been especially harsh.

Global bank messaging network SWIFT is planning a new platform in the next one to two years to connect the wave of central bank digital currencies now in development to the existing finance system, it has told Reuters. From the report: The move, which would be one of the most significant yet for the nascent CBDC ecosystem given SWIFT's key role in global banking, is likely to be fine-tuned to when the first major ones are launched. Around 90% of the world's central banks are now exploring digital versions of their currencies. Most don't want to be left behind by bitcoin and other cryptocurrencies, but are grappling with technological complexities.

SWIFT's head of innovation, Nick Kerigan, said its latest trial, which took 6 months and involved a 38-member group of central banks, commercial banks and settlement platforms, had been one of the largest global collaborations on CBDCs and "tokenised" assets to date. It focused on ensuring different countries' CBDCs can all be used together even if built on different underlying technologies, or "protocols", thereby reducing payment system fragmentation risks.

An anonymous reader shares a report:Intel, Microsoft, Qualcomm, and AMD have all been pushing the idea of an "AI PC" for months now as we head toward more AI-powered features in Windows. While we're still waiting to hear the finer details from Microsoft on its big plans for AI in Windows, Intel has started sharing Microsoft's requirements for OEMs to build an AI PC -- and one of the main ones is that an AI PC must have Microsoft's Copilot key. Microsoft wants its OEM partners to provide a combination of hardware and software for its idea of an AI PC. That includes a system that comes with a Neural Processing Unit (NPU), the latest CPUs and GPUs, and access to Copilot. It will also need to have the new Copilot key that Microsoft announced earlier this year.

This requirement means that some laptops, like Asus' new ROG Zephyrus, have already shipped with Intel's new Core Ultra chips and aren't technically AI PCs in the eyes of Microsoft's strict requirements because they don't have a Copilot key. But they're still AI PCs in Intel's eyes. "Our joint aligned definition, Intel and Microsoft, we've aligned on Core Ultra, Copilot, and Copilot key," explains Todd Lewellen, head of the PC ecosystem at Intel, in a press briefing with The Verge. "From an Intel perspective our AI PC has Core Ultra and it has an integrated NPU because it is unlocking all kinds of new capabilities and functions in the AI space. We have great alignment with Microsoft, but there are going to be some systems out there that may not have the physical key on it but it does have our integrated NPU."

Britain's government has been urged to provide more support for the software industry with measures including tax incentives and talent visas. From a report: More than 120 industry leaders have called for government intervention to improve conditions for European software companies. Europe has long struggled to scale up homegrown tech companies as successfully as the U.S., with many startups forced to seek investment abroad as they scale up.

A new policy document -- published by industry body Boardwave and seen by Reuters -- highlights what it calls Europe's "dreadful" track record of scaling software companies, with one recent study showing only one software-focused firm, Sage, counted among Britain's top 100 publicly-traded businesses, compared to dozens in the U.S. Phill Robinson, Boardwave founder and a former executive at software giant Salesfore, shared the report with Britain's technology minister Michele Donelan last week, warning that mid-sized software companies had received little government attention compared to Big Tech firms and buzzy venture-funded startups.

Google is releasing an optimized version of its Chrome browser for Windows on Arm this week, the search giant has announced alongside chipmaker Qualcomm. From a report: The official release comes two months after an early version of the browser was spotted in Chrome's Canary channel. Qualcomm says the release "will roll out starting today."

The release will be a big deal for any Chrome users with Windows machines powered by Arm-based processors, who'll now have access to a much faster native browser. That's in contrast to the x64 version of Chrome they've previously had to run in an emulated state with slow performance. Arm-based users have previously been able to turn to Microsoft's Edge, which is already available for Windows on Arm devices.

The Register: Cloudflare has revealed a little about how it maintains the millions of boxes it operates around the world -- including the concept of an "error budget" that enacts "empathy embedded in automation." In a Tuesday post titled "Autonomous hardware diagnostics and recovery at scale," the internet-taming biz explains that it built fault-tolerant infrastructure that can continue operating with "little to no impact" on its services. But as explained by infrastructure engineering tech lead Jet Marsical and systems engineers Aakash Shah and Yilin Xiong, when servers did break the Data Center Operations team relied on manual processes to identify dead boxes. And those processes could take "hours for a single server alone, and [could] easily consume an engineer's entire day."

Which does not work at hyperscale. Worse, dead servers would sometimes remain powered on, costing Cloudflare money without producing anything of value. Enter Phoenix -- a tool Cloudflare created to detect broken servers and automatically initiate workflows to get them fixed. Phoenix makes a "discovery run" every thirty minutes, during which it probes up to two datacenters known to house broken boxen. That pace of discovery means Phoenix can find dead machines across Cloudflare's network in no more than three days. If it spots machines already listed for repairs, it "takes care of ensuring that the Recovery phase is executed immediately."

An anonymous reader shares a report: About 6,000 older Bitcoin mining machines in the US will soon be idled and sent to a warehouse in Colorado Springs where they'll be refreshed and resold to buyers overseas looking to profit from mining in lower-cost environs. Wholesaler SunnySide Digital operates the 35,000 square-foot facility taking in the equipment from a mining client. The outdated machines are among several hundred-thousand it expects to receive and refurbish around a major quadrennial update in the Bitcoin blockchain.

Known as the halving, the late April event will slash the reward that's the main revenue stream for miners, who will try to lessen the impact by upgrading to the latest and most efficient technology. With electricity the biggest expense, mining companies including publicly traded giants Marathon Digital Holdings and Riot Platforms need to lower usage costs to maintain a positive margin. Their older computers may still bring a profit, just not likely in the US.

Some 600,000 S19 series computers, which account for a majority of machines currently in use, are moving out of the US mostly to Africa and South America, according to an estimate by Ethan Vera, chief operating officer at crypto-mining services and logistics provider Luxor Technology in Seattle. In Bitcoin mining, specialized machines are used to validate transactions on the blockchain and earn operators a fixed token reward. Anonymous Bitcoin creator Satoshi Nakamoto baked in the once-every-four-years halving to maintain the hard cap of 21 million tokens. Next month's event is the fourth since 2012 and the reward will drop to 3.125 Bitcoin from 6.25 now.

Atlas VPN informed customers on Monday that it will discontinue its services on April 24, citing technological demands, market competition, and escalating costs as key factors in the decision. The company said it will transfer its paid subscribers to its sister company, NordVPN, for the remainder of their subscription period to ensure uninterrupted VPN services.