Two investment advisors have reached settlements with the US Securities and Exchange Commission for allegedly exaggerating their use of AI, which in both cases were purported to be cornerstones of their offerings. From a report: Canada-based Delphia and San Francisco-headquartered Global Predictions will cough up $225,000 and $175,000 respectively for telling clients that their products used AI to improve forecasts. The financial watchdog said both were engaging in "AI washing," a term used to describe the embellishment of machine-learning capabilities.

"We've seen time and again that when new technologies come along, they can create buzz from investors as well as false claims by those purporting to use those new technologies," said SEC chairman Gary Gensler. "Delphia and Global Predictions marketed to their clients and prospective clients that they were using AI in certain ways when, in fact, they were not." Delphia claimed its system utilized AI and machine learning to incorporate client data, a statement the SEC said it found to be false.

"Delphia represented that it used artificial intelligence and machine learning to analyze its retail clients' spending and social media data to inform its investment advice when, in fact, no such data was being used in its investment process," the SEC said in a settlement order. Despite being warned about suspected misleading practices in 2021 and agreeing to amend them, Delphia only partially complied, according to the SEC. The company continued to market itself as using client data as AI inputs but never did anything of the sort, the regulator said.

An anonymous reader shares a report: The Apex Legends Global Series is currently in regional finals mode, but the North America finals have been delayed after two players were hacked mid-match. First, Noyan "Genburten" Ozkose of DarkZero suddenly found himself able to see other players through walls, then Phillip "ImperialHal" Dosen of TSM was given an aimbot. Genburten's hack happened part of the way through the day's third match. A Twitch clip of the moment shows the words "Apex hacking global series by Destroyer2009 & R4ndom" repeating over chat as he realizes he's been given a cheat and takes his hands off the controls. "I can see everyone!" he says, before leaving the match.

ImperialHal was hacked in the game immediately after that. "I have aimbot right now!" he shouts in a clip of the moment, before declaring "I can't shoot." Though he continued attempting to play out the round, the match was later abandoned. The volunteers at the Anti-Cheat Police Department have since issued a PSA announcing, "There is currently an RCE exploit being abused in [Apex Legends]" and that it could be delivered via from the game itself, or its anti-cheat protection. "I would advise against playing any games protected by EAC or any EA titles", they went on to say.

As for players of the tournament, they strongly recommended taking protective measures. "It is advisable that you change your Discord passwords and ensure that your emails are secure. also enable MFA for all your accounts if you have not done it yet", they said, "perform a clean OS reinstall as soon as possible. Do not take any chances with your personal information, your PC may have been exposed to a rootkit or other malicious software that could cause further damage." The rest of the series has now been postponed, "Due to the competitive integrity of this series being compromised," as the official Twitter account announced. They finished by saying, "We will share more information soon."

Multinational technology giant Fujitsu confirmed a cyberattack in a statement Friday, and warned that hackers may have stolen personal data and customer information. From a report: "We confirmed the presence of malware on multiple work computers at our company, and as a result of an internal investigation, we discovered that files containing personal information and customer information could be illegally taken out," said Fujitsu in its statement on its website, translated from Japanese.

Fujitsu said it disconnected the affected systems from its network, and is investigating how its network was compromised by malware and "whether information has been leaked." The tech conglomerate did not specify what kind of malware was used, or the nature of the cyberattack. Fujitsu also did not say what kind of personal information may have been stolen, or who the personal information pertains to -- such as its employees, corporate customers, or citizens whose governments use the company's technologies.

SofiaWW writes: Microsoft has announced that the next subscription-free version of its Office suite will launch later this year. A commercial preview of Office LTSC 2024 will be available from next month, with a full launch scheduled for later in the year.

The Office Long-Term Servicing Channel is supported for five years, and it holds great appeal for the many businesses that are not keen on the idea of software subscriptions. There will also be a consumer-focused version of the suite, Office 2024, available via a traditional 'one-time purchase' model. Further reading: Microsoft Really Doesn't Want You To Buy Office 2019 (From 2019).

The Guardian reports that this week "Bernie Sanders, the independent senator from Vermont who twice ran for the Democratic presidential nomination, introduced a bill to establish a four-day US working week." "Moving to a 32-hour workweek with no loss of pay is not a radical idea," Sanders said on Thursday. "Today, American workers are over 400% more productive than they were in the 1940s. And yet millions of Americans are working longer hours for lower wages than they were decades ago. "That has got to change. The financial gains from the major advancements in artificial intelligence, automation and new technology must benefit the working class, not just corporate chief executives and wealthy stockholders on Wall Street.

"It is time to reduce the stress level in our country and allow Americans to enjoy a better quality of life. It is time for a 32-hour workweek with no loss in pay."
The proposed bill "has received the endorsement of the American Federation of Labor and Congress of Industrial Organizations, United Auto Workers, the Service Employees International Union, the Association of Flight Attendants" — as well as several other labor unions, reports USA Today: More than half of adults employed full time reported working more than 40 hours per week, according to a 2019 Gallup poll... More than 70 British companies started to test a four-day workweek last year, and most respondents reported there has been no loss in productivity.
A statement from Senator Sanders: Bill Gates, the founder of Microsoft, and Jamie Dimon, the CEO of JP Morgan Chase, predicted last year that advancements in technology would lead to a three or three-and-a-half-day workweek in the coming years. Despite these predictions, Americans now work more hours than the people of most other wealthy nations, but are earning less per week than they did 50 years ago, after adjusting for inflation.
"Sanders also pointed to other countries that have reduced their workweeks, such as France, Norway and Denmark," adds NBC News.

USA Today notes that "While Sanders' role as chair of the Senate Health, Education, Labor, and Pensions Committee places a greater focus on shortening the workweek, it is unlikely the bill will garner enough support from Republicans to become federal law and pass in both chambers."

And political analysts who spoke to ABC News "cast doubt on the measure's chances of passage in a divided Congress where opposition from Republicans is all but certain," reports ABC News, "and even the extent of support among Democrats remains unclear."

"Dell's strict new RTO mandate excludes fully remote workers from promotion," reports Business Insider.

The site calls it "one of the most abrupt changes to remote work policies," noting that Dell "has had a hybrid working culture in place for more than a decade — long before the pandemic struck." "Dell cared about the work, not the location," a senior employee at Dell who's worked remotely for more than a decade, told Business Insider last month. "I would say 10% to 15% of every team was remote." That flexibility has enabled staff to sustain their careers in the face of major life changes, several employees told BI. It has also helped Dell to be placed on the "Best Place to Work for Disability Equality Index" since 2018. But in February Dell introduced a strict return-to-office mandate, with punitive measures for those who want to stay at home.

Under the new policy, staff were told that from May almost all will be classified as either "hybrid," or "remote." Hybrid workers will be required to come into an "approved" office at least 39 days a quarter — the equivalent of about three days a week, internal documents seen by BI show. If they want to keep working from home, staff can opt to go fully remote. But that option has a downside: fully remote workers will not be considered for promotion, or be able to change roles.
Workers have said Dell's approach might be intended to lower headcount without having to pay severance by inducing some employees to quit. But reached by Business Insider for a comment, Dell defended their approach as instead "critical to drive innovation and value differentiation."

But Professor Cary Cooper, an organizational psychologist and cofounder of the National Forum for Health and Wellbeing at work, tells the site Dell could be following a "pack mentality" among tech companies — or reacting to a sluggish world economy. "Senior execs somehow think that people in the office are more productive than at home, even though there's no evidence to back that up."

Business Insider added that Dell's approach "differs from founder and CEO Michael Dell's previous support for remote workers," who famously said "If you are counting on forced hours spent in a traditional office to create collaboration and provide a feeling of belonging within your organization, you're doing it wrong."

An anonymous reader quotes a report from BleepingComputer: McDonald's restaurants are suffering global IT outages that prevent employees from taking orders and accepting payments, causing some stores to close for the day. The outages started overnight and are impacting restaurants globally, including those in the USA, Japan, Australia, Canada, the Netherlands, Italy, New Zealand, and the UK. "We are aware of a technology outage, which impacted our restaurants; the issue is now being resolved," McDonald's said in a statement to BleepingComputer. "We thank customers for their patience and apologize for any inconvenience this may have caused. Notably, the issue is not related to a cybersecurity event." In an updated statement, McDonald's says that the outage was caused by a third-party provider during a configuration change. "Many markets are back online, and the rest are in the process of coming back online. This issue was not directly caused by a cybersecurity event; rather, it was caused by a third-party provider during a configuration change."

Microsoft has been pushing Bing pop-up ads in Chrome on Windows 10 and 11. The new ad once again encourages Chrome users (in bold lettering) to use Bing instead of Google search. From a report: "Chat with GPT-4 for free on Chrome! Get hundreds of daily chat turns with Bing Al," the ad reads. If you click "Yes," the pop-up will install the "Bing Search" Chrome extension while making Microsoft's search engine the default.

If you click "Yes" on the ad to switch to Bing, a Chrome pop-up will appear, asking you to confirm that you want to change the browser's default search engine. "Did you mean to change your search provider?" the pop-up asks. "The âMicrosoft Bing Search for Chrome' extension changed search to use bing.com,'" Chrome's warning states. Directly beneath that alert, seemingly in anticipation of Chrome's pop-up, another Windows notification warns, "Wait -- don't change it back! If you do, you'll turn off Microsoft Bing Search for Chrome and lose access to Bing Al with GPT-4 and DALL-E 3. Select Keep it to stay with Microsoft Bing."

Two of the biggest manufacturers of locks used in commercial safes have been accused of essentially putting backdoors in at least some of their products in a new letter by Senator Ron Wyden. 404 Media: Wyden is urging the U.S. government to explicitly warn the public about the vulnerabilities, which Wyden says could be exploited by foreign adversaries to steal what U.S. businesses store in safes, such as trade secrets. The little known "manufacturer" or "manager" reset codes could let third parties -- such as spies or criminals -- bypass locks without the owner's consent and are sometimes not disclosed to customers. Wyden's office also found that while the U.S. Department of Defense (DoD) bans such locks for sensitive and classified U.S. government use in part due to the security vulnerability reset codes pose, the government has deliberately not warned the public about the existence of these backdoors.

The specific companies named in Wyden's letter are China-based SECURAM and U.S.-based Sargent and Greenleaf (S&G). Each produces keypad locks which are then implemented into safes by other manufacturers. The full list of locks that contain backdoor codes is unknown, but documentation available online points to multiple SECURAM products which do include them, and S&G confirmed to Wyden's office that some of its own locks also have similar codes.

France Travail, the government agency responsible for assisting the unemployed, has fallen victim to a massive data breach exposing the personal information of up to 43 million French citizens dating back two decades, the department announced on Wednesday. The incident, which has been reported to the country's data protection watchdog (CNIL), is the latest in a series of high-profile cyber attacks targeting French government institutions and underscores the growing threat to citizens' private data. From a report: The department's statement reveals that names, dates of birth, social security numbers, France Travail identifiers, email addresses, postal addresses, and phone numbers were exposed. Passwords and banking details aren't affected, at least. That said, CNIL warned that the data stolen during this incident could be linked to stolen data in other breaches and used to build larger banks of information on any given individual. It's not clear whether the database's entire contents were stolen by attackers, but the announcement suggests that at least some of the data was extracted.

Google announced a major change to its Safe Browsing feature in Chrome today that will make the service work in real time by checking against a server-side list -- all without sharing your browsing habits with Google. From a report: Previously, Chrome downloaded a list of known sites that harbor malware, unwanted software and phishing scams once or twice per hour. Now, Chrome will move to a system that will send the URLs you are visiting to its servers and check against a rapidly updated list there. The advantage of this is that it doesn't take up to an hour to get an updated list because, as Google notes, the average malicious site doesn't exist for more than 10 minutes.

The company claims that this new server-side system can catch up to 25 percent more phishing attacks than using local lists. These local lists have also grown in size, putting more of a strain on low-end machines and low-bandwidth connections. Google is rolling out this new system to desktop and iOS users now, with Android support coming later this month.

According to a new study from the Institute for the Future of Work, contemporary technology often has a negative impact on workers' quality of life. The think tank surveyed over 6,000 people to learn how four categories of workplace technologies affected their wellbeing. TechSpot reports the findings: The study found that increased exposure to three of the categories tended to worsen workers' mental state and health. The three areas that negatively impact people most are wearable and remote sensing technologies, which covers CCTV cameras and wearable trackers; robotics, consisting of automated machines, self-driving vehicles, and other equipment; and, unsurprisingly, technologies relating to AI and ML, which includes everything from decision management to biometrics. Only one of the categories was found to be beneficial to employees, and it's one that has been around for decades: ICT tech such as laptops, tablets, phones, and real-time messaging tools.

Connor Jones reports via The Register: Stanford University says the cybersecurity incident it dealt with last year was indeed ransomware, which it failed to spot for more than four months. Keen readers of El Reg may remember the story breaking toward the end of October 2023 after Akira posted Stanford to its shame site, with the university subsequently issuing a statement simply explaining that it was investigating an incident, avoiding the dreaded R word. Well, surprise, surprise, ransomware was involved, according to a data breach notice sent out to the 27,000 people affected by the attack.

Akira targeted the university's Department of Public Safety (DPS) and this week's filing with the Office of the Maine Attorney General indicates that Stanford became aware of the incident on September 27, more than four months after the initial breach took place. According to Monday's filing, the data breach occurred on May 12 2023 but was only discovered on September 27 of last year, raising questions about whether the attacker(s) was inside the network the entire time and why it took so long to spot the intrusion.

It's not fully clear what information was compromised, but the draft letters include placeholders for three different variables. However, the filing with Maine's AG suggests names and social security numbers are among the data types to have been stolen. All affected individuals have been offered 24 months of free credit monitoring, including access to a $1 million insurance reimbursement policy and ID theft recovery services. Akira's post dedicated to Stanford on its leak site claims it stole 430 GB worth of data, including personal information and confidential documents. It's all available to download via a torrent file and the fact it remains available for download suggests the research university didn't pay whatever ransom the attackers demanded.

Bill Toulas reports via BleepingComputer: Google awarded $10 million to 632 researchers from 68 countries in 2023 for finding and responsibly reporting security flaws in the company's products and services. Though this is lower than the $12 million Google's Vulnerability Reward Program paid to researchers in 2022, the amount is still significant, showcasing a high level of community participation in Google's security efforts.

The highest reward for a vulnerability report in 2023 was $113,337, while the total tally since the program's launch in 2010 has reached $59 million. For Android, the world's most popular and widely used mobile operating system, the program awarded over $3.4 million. Google also increased the maximum reward amount for critical vulnerabilities concerning Android to $15,000, driving increased community reports. During security conferences like ESCAL8 and hardwea.io, Google awarded $70,000 for 20 critical discoveries in Wear OS and Android Automotive OS and another $116,000 for 50 reports concerning issues in Nest, Fitbit, and Wearables. Google's other big software project, the Chrome browser, was the subject of 359 security bug reports that paid out a total of $2.1 million.

Contributors from Apple, Google, Microsoft, and Mozilla, writing for BrowserBench: Since the initial version of the Speedometer benchmark was released in 2014 by the WebKit team, it has become a key tool for browser engines to drive performance optimizations as users and developers continue to demand richer and smoother experiences online.

We're proud to release Speedometer 3.0 today as a collaborative effort between the three major browser engines: Blink, Gecko, and WebKit. Like previous releases (Speedometer 2 in 2018 and Speedometer 1 in 2014), it's designed to measure web application responsiveness by simulating user interactions on real web pages. Today's release of Speedometer 3.0 marks a major step forward in web browser performance testing: it introduces a better way of measuring performance and a more representative set of tests that reflect the modern Web.

This is the first time the Speedometer benchmark, or any major browser benchmark, has been developed through a cross-industry collaboration supported by each major browser engine: Blink/V8, Gecko/SpiderMonkey, and WebKit/JavaScriptCore. It's been developed under a new governance model, driven by consensus, and is hosted in a shared repository that's open to contribution. This new structure involves a lot of collective effort: discussions, research, debates, decisions, and hundreds of PRs since we announced the project in December 2022.

Speedometer 3 adds many new tests. We started designing this new benchmark by identifying some key scenarios and user interactions that we felt were important for browsers to optimize. In particular, we added new tests that simulate rendering canvas and SVG charts (React Stockcharts, Chart.js, Perf Dashboard, and Observable Plot), code editing (CodeMirror), WYSIWYG editing (TipTap), and reading news sites (Next.js and Nuxt.js).

Over 15,000 Roku customers were hacked and used to make fraudulent purchases of hardware and streaming subscriptions. According to BleepingComputer, the threat actors were "selling the stolen accounts for as little as $0.50 per account, allowing purchasers to use stored credit cards to make illegal purchases." From the report: On Friday, Roku first disclosed the data breach, warning that 15,363 customer accounts were hacked in a credential stuffing attack. A credential stuffing attack is when threat actors collect credentials exposed in data breaches and then attempt to use them to log in to other sites, in this case, Roku.com. The company says that once an account was breached, it allowed threat actors to change the information on the account, including passwords, email addresses, and shipping addresses. This effectively locked a user out of the account, allowing the threat actors to make purchases using stored credit card information without the legitimate account holder receiving order confirmation emails.

"It appears likely that the same username/password combinations had been used as login information for such third-party services as well as certain individual Roku accounts," reads the data breach notice. "As a result, unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts. "After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions." Roku says that it secured the impacted accounts and forced a password reset upon detecting the incident. Additionally, the platform's security team investigated for any charges due to unauthorized purchases performed by the hackers and took steps to cancel the relevant subscriptions and refund the account holders.

A researcher told BleepingComputer last week that the threat actors have been using a Roku config to perform credential stuffing attacks for months, bypassing brute force attack protections and captchas by using specific URLs and rotating through lists of proxy servers. Successfully hacked accounts are then sold on stolen account marketplaces for as little as 50 cents, as seen below where 439 accounts are being sold. The seller of these accounts provides information on how to change information on the account to make fraudulent purchases. Those who purchase the stolen accounts hijack them with their own information and use stored credit cards to purchase cameras, remotes, soundbars, light strips, and streaming boxes. After making their purchases, it is common for them to share screenshots of redacted order confirmation emails on Telegram channels associated with the stolen account marketplaces.

Jess Weatherbed reports via The Verge: Midjourney says it has banned Stability AI staffers from using its service, accusing employees at the rival generative AI company of causing a systems outage earlier this month during an attempt to scrape Midjourney's data. Midjourney posted an update to its Discord server on March 2nd that acknowledged an extended server outage was preventing generated images from appearing in user galleries. In a summary of a business update call on March 6th, Midjourney claimed that "botnet-like activity from paid accounts" -- which the company specifically links to Stability AI employees -- was behind the outage.

According to Midjourney user Nick St. Pierre on X, who listened to the call, Midjourney said that the service was brought down because "someone at Stability AI was trying to grab all the prompt and image pairs in the middle of a night on Saturday." St. Pierre said that Midjourney had linked multiple paid accounts to an individual on the Stability AI data team. In its summary of the business update call on March 6th (which Midjourney refers to as "office hours"), the company says it's banning all Stability AI employees from using its service "indefinitely" in response to the outage. Midjourney is also introducing a new policy that will similarly ban employees of any company that exercises "aggressive automation" or causes outages to the service.

St. Pierre flagged the accusations to Stability AI CEO Emad Mostaque, who replied on X, saying he was investigating the situation and that Stability hadn't ordered the actions in question. "Very confusing how 2 accounts would do this team also hasn't been scraping as we have been using synthetic & other data given SD3 outperforms all other models," said Mostaque, referring to the Stable Diffusion 3 AI model currently in preview. He claimed that if the outage was caused by a Stability employee, then it was unintentional and "obviously not a DDoS attack." Midjourney founder David Holz responded to Mostaque in the same thread, claiming to have sent him "some information" to help with his internal investigation.

Several French government agencies were hit by "intense" cyberattacks beginning Sunday night. From a report: The attacks' impact on most services has been reduced and access to agencies' websites restored, the prime minister's office said in a statement Monday.

Airbnb will no longer allow hosts to use indoor security cameras, regardless of where they're placed or what they're used for. In an update on Monday, Airbnb says the change to "prioritize the privacy" of renters goes into effect on April 30th. From a report: The vacation rental app previously let hosts install security cameras in "common areas" of listings, including hallways, living rooms, and front doors. Airbnb required hosts to disclose the presence of security cameras in their listings and make them clearly visible, and it prohibited hosts from using cameras in bedrooms and bathrooms.

But now, hosts can't use indoor security cameras at all. The change comes after numerous reports of guests finding hidden cameras within their rental, leading some vacation-goers to scan their rooms for cameras. Airbnb's new policy also introduces new rules for outdoor security cameras, and will now require hosts to disclose their use and locations before guests book a listing. Hosts can't use outdoor cams to keep tabs on indoor spaces, either, nor can they use them in "certain outdoor areas where there's a great expectation of privacy," such as an outdoor shower or sauna.

Researchers at Cado Security Labs received an alert about a honeypot using the Docker Engine API. "A Docker command was received..." they write, "that spawned a new container, based on Alpine Linux, and created a bind mount for the underlying honeypot server's root directory..." Typically, this is exploited to write out a job for the Cron scheduler to execute... In this particular campaign, the attacker exploits this exact method to write out an executable at the path /usr/bin/vurl, along with registering a Cron job to decode some base64-encoded shell commands and execute them on the fly by piping through bash.

The vurl executable consists solely of a simple shell script function, used to establish a TCP connection with the attacker's Command and Control (C2) infrastructure via the /dev/tcp device file. The Cron jobs mentioned above then utilise the vurl executable to retrieve the first stage payload from the C2 server... To provide redundancy in the event that the vurl payload retrieval method fails, the attackers write out an additional Cron job that attempts to use Python and the urllib2 library to retrieve another payload named t.sh
"Multiple user mode rootkits are deployed to hide malicious processes," they note. And one of the shell scripts "makes use of the shopt (shell options) built-in to prevent additional shell commands from the attacker's session from being appended to the history file... Not only are additional commands prevented from being written to the history file, but the shopt command itself doesn't appear in the shell history once a new session has been spawned."

The same script also inserts "an attacker-controlled SSH key to maintain access to the compromised host," according to the article, retrieves a miner for the Monero cryptocurrency and then "registers persistence in the form of systemd services" for both the miner and an open source Golang reverse shell utility named Platypus.

It also delivers "various utilities," according to the blog Security Week, "including 'masscan' for host discovery." Citing CADO's researchers, they write that the shell script also "weakens the machine by disabling SELinux and other functions and by uninstalling monitoring agents." The Golang payloads deployed in these attacks allow attackers to search for Docker images from the Ubuntu or Alpine repositories and delete them, and identify and exploit misconfigured or vulnerable Hadoop, Confluence, Docker, and Redis instances exposed to the internet... ["For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host," the researchers writes.]

"This extensive attack demonstrates the variety in initial access techniques available to cloud and Linux malware developers," Cado notes. "It's clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments."